What is SNI ?
What is Server Name Indication (SNI)?
Server Name Indication (SNI) allows the server to safely host multiple TLS Certificates for multiple sites, all under a single IP address. It adds the hostname of the server (website) in the TLS handshake as an extension in the CLIENT HELLO message. This way the server knows which website to present when using shared IPs. Typically, companies that use shared IPs under one server are hosting companies and they face the everyday problem: ‘how do I get my server to select and present the correct certificate?’
Here’s a closer look at the problem. On an HTTP site, a server uses HTTP HOST headers to determine which HTTP website it should present. However, when using TLS (the protocol behind HTTPS), the secure session needs to be created before the HTTP session can be established and until then, no host header is available.
So here’s the dilemma: with HTTPS, that TLS handshake in the browser can’t be completed without a TLS Certificate in the first place, but the server doesn’t know which certificate to present, because it can’t access the host header.
What is Server Name Indication (SNI)?
What Is SNI and How Can It Help?
Server Name Indication (SNI) is an extension of the TLS protocol. The client specifies which hostname they want to connect to using the SNI extension in the TLS handshake. This allows a server (for example Apache, Nginx, or a load balancer such as HAProxy) to select the corresponding private key and certificate chain that are required to establish the connection from a list or database while hosting all certificates on a single IP address.
When SNI is used, the hostname of the server is included in the TLS handshake, which enables HTTPS websites to have unique TLS Certificates, even if they are on a shared IP address
