Friday, August 10, 2018

Server Name Indication (SNI)

SNI (Server Name Indication) is an extension for SSL/TLS protocol. This extension allows the client to recognize the connecting hostname during the handshake process.  SNI permits a server to use different SSL certificates over the same IP address. Therefore, it serves correct certificates for those websites and delivers secured site to the customer. Each certificate is bind with particular FQDN, and with the help of SNI, the server picks the right certificate for the particular domain name.

A more generic solution for running several HTTPS servers on a single IP address is TLS Server Name Indication extension (SNI, RFC 6066), which allows a browser to pass a requested server name during the SSL handshake and, therefore, the server will know which certificate it should use for the connection. SNI is currently supported by most modern browsers, though may not be used by some old or special clients.

During ssl handshake "Client Hello" packet, you should see "Extension: server_name".

Latest Nignx server supports SNI. If you type: nginx -V
You should see: TLS SNI support enabled

No comments:

Post a Comment