SAP Knowledge Base Article - Preview

3474602 - SSSLERR_SERVER_CERT_MISMATCH in the ABAP Application Server instance


When connecting to an ABAP Application Server instance (as the server) through HTTPS, a "Server certificate not valid for supplied TargetHostname" error might occur at the HTTPS client or when the ABAP Application Server instance connects to an External system (acting as client).
This may happen even if parameter icm/HTTPS/client_sni_enabled is activated

For instance, in case the HTTPS client is also an ABAP instance, ICM traces displayed following line at some point:

[Thr .. ]   Disabling automagic TLSextSNI--Caller-supplied SNI detected for '<remote hostname>'!

And ICM traces with level 2 disclose the following when the error is tested:

          Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

[Thr .. ] <<- SapSSLSearchSniBlocklist()==SSSLRC_AUTOMAGIC_SNI_INACTIVE
[Thr .. ]      in: hostname = "<hostname of the server system>"
[Thr .. ] TLS SNI will not be activated for <hostname of the server system>, because SNI is disabled (icm/HTTPS/client_sni_enabled)!
[Thr .. ] IcmCheckSslClientHttp2Usable: Server <hostname of the server system> contained in SNI exclude list or is not usable for SNI. Do not use HTTP/2

[Thr .. ] *** ERROR => SSL handshake with <hostname of the server system> failed: SSSLERR_SERVER_CERT_MISMATCH (-30)
[Thr .. ]              Server certificate not valid for supplied TargetHostname (fatal rfc2818 section 3.1 mismatch)
[Thr .. ]
[Thr .. ]              SapSSLSessionStartNB()==SSSLERR_SERVER_CERT_MISMATCH
[Thr .. ]                TLSextSNI srv_name = "<hostname of the server system>"   
[Thr .. ]                TargetHostname     = "<hostname of the server system>"
[Thr .. ]                ServerCert.subject = <CN=this will be different from the instance hostname>
[Thr .. ]                ServerCert.issuer  = <CN=xxxx>
[Thr .. ]                ServerCert.SANs    = xxxx
[Thr .. ]                SSL NI-hdl 98: unix domain socket="/tmp/.sapicm<server ABAP instance HTTPS port>"
[Thr .. ]               {0086091b} {root-id=B18C900126644BE1B343410872E11864} [icxxconn.c 3607]
[Thr .. ]              role: Client, protocol: H2, local: <client ABAP instance IP address>:<client ABAP instance random TCP port>, peer: <hostname of the server systems>:<server system HTTPS port>, id: 134/2331, SNI:
[Thr .. ] ->> SapSSLSessionDoneNB(&sssl_hdl=7efe6c09fbe8,flags=0x0000,timeout=10000,&IOstate=7efe777a287c)
[Thr .. ] CCL[SSL]: Cli-00000421: Sending alert of level WARNING: close notify [ssl3_send_alert]
[Thr .. ]   SSL:SiSend(sock=  49)== 0 (SI_OK)       (out=31 of 31)
[Thr .. ] CCL[SSL]: Cli-00000421: ########## SSL connection cleaned up and destroyed. ########## [SSL_free]          



ABAP Platform
SAP Netweaver


ABAP platform all versions ; SAP NetWeaver all versions


tls, kernel, strust, SSSLERR_SERVER_CERT_MISMATCH, not valid, MISmatch , KBA , BC-CST-IC , Internet Communication Manager , BC-ESI-WS-ABA , Web Service and SOAP - ABAP , BC-SEC-SSF , Secure Store and Forward , BC-MID-ICF , Internet Communication Framework , BC-SEC-SSL , Secure Sockets Layer Protocol , Known Error

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.