SNI

June 8, 2021
Server Name Indication is an extension to the TLS encryption protocol. SNI enables a client device to indicate the domain name it attempts to connect at the first stage of the TLS handshake which comprises establishing a secure HTTPS connection including TLS certificate authentication and encryption key generation. This helps to prevent name mismatch errors.

Problem

Sometimes several websites are located on one server, have the same IP address, but each of them has its own SSL certificate. In such cases, a server may not know which of the certificates it should use when a client device tries to connect to a website. The reason is that SSL/TLS handshake takes place before a client device sends a message via HTTP saying to which website it attempts to connect. This can result in a so-called “common name mismatch error”. It means that a client connects to the right IP address, but the common name in the SSL certificate doesn’t match the domain name.

Solution

SNI participates in TLS/SSL handshake and helps clients to see the right SSL certificate for the source they try to connect. SNI adds the domain name during the TLS handshake so that the TLS process reaches the right domain name and gets the correct SSL certificate, enabling the rest of the TLS handshake to proceed as usual. In particular, SNI introduces the hostname to the Client Hello message which is the first step of TLS handshake. Thus, SNI enables clients to open a secure connection with a website even if many other resources have the same IP address.

SNI was added as an extension to TLS/SSL in 2003, and initially, it wasn’t a part of the protocol. Almost all browsers, operation systems, and web servers support SNI. If you use a very old browser version or a mobile operating system like BlackBerry, more likely you wouldn’t be able to visit certain websites and your browser will send an error message “Your connection is not private”.

We use cookies to optimize site functionality and give you the best possible experience. To learn more about the cookies we use, please visit our Cookies Policy. By clicking ‘Okay’, you agree to our use of cookies. Learn more.