Issue
After upgrading to Solr 9.2.1, an error message appears in logs similar to the following:
org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
This message may appear when accessing various endpoints in the Solr deployment, including system services, dashboards, and custom UIs.
Diagnosis
This issue arises due to a stricter Server Name Indication (SNI) host validation introduced in Solr 9.2.1 through Jetty updates. The new behavior enables a flag by default that enforces SNI hostname checking, which can cause 400 errors if the SNI hostname does not match the expected certificate.
Environment
Solr 9.2.1+
Cause
In Solr 9.2.1, a new JVM flag solr.jetty.ssl.sniHostCheck was introduced and defaults to true. This setting causes Solr to reject requests when the SNI host in the SSL handshake does not match the expected certificate hostname.
This behavior can surface in internal or proxy-based requests common in Kubernetes or containerized environments where hostname resolution may vary.
Resolution
To disable strict SNI host validation and resolve the 400 error, set the following Java system property in the Solr runtime configuration:
-Dsolr.jetty.ssl.sniHostCheck=false
How to apply the flag
Modify the Solr startup configuration or set the flag in your Kubernetes deployment spec, systemd unit file, or wherever the Solr JVM options are managed.
For example, in a Kubernetes environment using a Helm chart or container-based deployment, add the flag to the SOLR_JAVA_MEM or SOLR_OPTS environment variable, depending on your setup.
Once the configuration is updated, restart the Solr pods or service. The Invalid SNI error should no longer occur.