What is Server Name Indication (SNI) and How it works

May 25, 2018 in SSL Technical FAQs

Server Name Indication

SNI stands for Server Name Indication and is an extension of the TLS protocol. It indicates which hostname is being contacted by the browser at the beginning of the 'handshake'-process.

This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure websites to be served off the same IP address without requiring all those sites to use the same certificate.

When making a TLS connection the client requests a digital certificate from the web server. Once the server sends the certificate, the client examines it and compares the name it was trying to connect to with the name included in the certificate.

If a match occurs the connection proceeds as normal. If a match is not found the user may be warned of the discrepancy and the connection may abort as the mismatch may indicate an attempted man-in-the-middle attack.

Because the number of IP addresses is limited, requiring every website to have its own IP address can cause problems in the long term. Server Name Indication (SNI) is the solution to this problem.

Browsers that support SNI will immediately communicate the name of the website the visitor wants to connect with during the initialisation of the secured connection, so that the server knows which certificate to send back.

Some older browsers/systems cannot support the technique. This is because the SSL/TLS library can be transmitted as part of the request and as part of the operating system.

Browser that support SNI

In order to use Server Name Indication, the SSL/TLS library must be able to support SNI through an application. Apart from that, the application must submit the hostname to the SSL/TLS library. While a number of browsers and servers still do not support SNI, most new webbrowsers and SSL/TLS libraries have already implemented SNI support.

The following browsers do offer support for SNI:

  • Internet Explorer 7 or higher, on Windows Vista or newer. Does not work on Windows XP and Internet Explorer 8

  • Mozilla Firefox 2.0 or higher

  • Opera 8.0 or higher (the TLS 1.1 protocol must be implemented)

  • Opera Mobile, version must be at least 10.1 beta on Android

  • Google Chrome (Windows Vista or newer, Windows XP requires Chrome 6 or higher, OS X 10.5.7 or newer requires Chrome 5.0.342.1 or higher)

  • Konqueror/KDE 4.7 or higher

  • MobileSafari for Apple iOS 4.0 or newer

  • Android standard browser on Honeycomb (v3.x) or higher

  • Windows Phone 7

  • MicroB on Maemo

Servers that Support SNI

  • Apache 2.2.12 or higher, must use mod_ssl

  • Apache Traffic Server 3.2.0 or higher

  • Cherokee, must have TLS support implemented

  • All versions of lighttpd 1.4.x and 1.5.x with patch, or 1.4.24 or higher without patch

  • Nginx with implemented OpenSSL with SNI support

  • F5 Networks Local Traffic Manager, version 11.1 or higher

  • G-WAN Web app. Server, must use OpenSSL with SNI support

  • LiteSpeed 4.1 or higher

  • Pound 2.6 or higher

  • Apache Tomcat on Java 7 or higher

  • Microsoft Internet Information Server IIS 8

  • Saetta Web Server via OpenSSL

  • Citrix NetScaler 9.2 or higher

  • HAProxy 1.5 or higher