Sometimes several websites are located on one server, have the same IP address, but each of them has its own SSL certificate. In such cases a server may not know which of the certificates it should use when a client device tries to connect to a website. The reason is that SSL/TLS handshake takes place before a client device sends a message via HTTP saying to which website it attempts to connect. This can result in a so-called “common name mismatch error”. It means that a client connects to the right IP address, but the common name in the SSL certificate doesn’t match the domain name.
SNI participates in TLS/SSL handshake and helps clients to see the right SSL certificate for the source they try to connect. SNI adds the domain name during TLS handshake so that the TLS process reaches the right domain name and gets the correct SSL certificate, enabling the rest of the TLS handshake to proceed as usual. In particular, SNI introduces the host name to the Client Hello message which is the first step of TLS handshake. Thus, SNI enables clients to open a secure connection with a website even if many other resources have the same IP address.
SNI was added as an extension to TLS/SSL in 2003, and initially it wasn’t a part of the protocol. Almost all browsers, operation systems, and web servers support SNI. If you use a very old browser version or a mobile operating system like BlackBerry, more likely you wouldn’t be able to visit certain websites and your browser will send an error message “Your connection is not private”.