Server Name Indication (SNI)
Server Name Indication is an extension of SSL and TLS which indicates which host name the client wishes to establish a connection with at the start of the handshaking process. This enables the server to present several certificates and as a consequence, it becomes possible to connect several websites with SSL security to a single IP-address and port (port 443). Using SNI eliminates the use of separate IP-addresses for each website secured with SSL on a web server.
Enabling SNI has no influece on the type of SSL certificate you use to set up a secure connection. Each SSL certificate is SNI compatible.
Background of the Problem
When establishing an SSL / TLS connection, the client requests a digital certificate from the server. As soon as the server sends the certificate, the client compares the name it tried to connect with, with the name recorded in the certificate. If the two names match, the connection process proceeds normally. If the names do not match, the user will be alerted to the discrepancy, and the connection will be terminated. This is done because a mismatch could indicate an attempt of a man-in-the-middle-attack.
Using Name-based virtual hosting LINK enables hosting of multiple DNS-hostnames by a server (typically a web server) on a single IP-address. To do so, the server uses a host name, which it has received from the client as part of the protocol (for HTTP, the name is included in the host header). When using HTTPS though, the SSL / TLS handshake takes place before the server sees the HTTP-headers. It is therefore not possible for the server to use the information from the HTTP-host header to decide which certificate to present. Domain names using the same IP-address must therefore use the same certificate.
Server Name Indication (SNI), an extension of TLS, handles this problem by sending the name of the virtual domain as part of the TLS negotiations. This enables the server to select the correct virtual domain, and to present the correct certificate to the browser. For this reason clients and servers supporting SNI can use a single IP-address (with several certificates) for several domain names.
To be able to use SNI, the SSL / TLS library used by an application has to support SNI, and the application has to pass the host name on to the SSL / TLS library. A disadvantage is that the SSL / TLS library can be sent as part of the request, and as part of the operating system. Because of this, some browsers only support SNI on all operating systems, while others only support SNI on specific operating systems. As of 2011, most browsers and SSL libraries have implemented SNI support, but a large number of users remain whose combination of browser and operating system do not support it.
The following combinations do not support SNI:
- Internet Explorer (any version) on Windows XP
- Safari on Windows XP
- BlackBerry Browser
- Windows Mobile up to 6.5
- Android's default browser on Android 2.x
- IBM HTTP Server
The following combinations do support SNI:
- Internet Explorer 7 or later, on Windows Vista or later. Does not work on Windows XP, not even in Internet Explorer 8.
- Mozilla Firefox 2.0 or later
- Opera 8.0 or later (the TLS 1.1 protocol has to be activated)
- Opera Mobile at least version 10.1 beta on Android
- Google Chrome (Vista or later. XP on Chrome 6 or later)
- OS X 10.5.7 or later on Chrome 5.0.342.1 or later)
- Safari 2.1 or later (Mac OS X 10.5.6 or later and Windows Vista or later)
- Konqueror/KDE 4.7 or later
- MobileSafari in Apple iOS 4.0 or later
- Android default browser on Honeycomb or later
- Windows Phone 7
- MicroB on Maemo
- Apache 2.2.12 or later by using mod_ssl
- F5 Networks Local Traffic Manager with version 11.1 or later
- LiteSpeed 4.1 or later
- Pound 2.6 or later
- Apache Tomcat on Java 7 or later
- Microsoft Internet Information Server IIS 8
- PageKite tunneling reverse proxy
To make use of SNI, your browser has to support TLS 1.0 and it has to be active. Follow these steps to activate TLS 1.0 in your browser:
FireFox: Tools → Options → Advanced → Encryption → Use TLS 1.0
Internet Explorer: Tools → Internet Options → Advanced → Use TLS 1.0