Server Name Indication
SNI stands for Server Name Indication and is an extension of the TLS protocol. It indicates which hostname is being contacted by the browser at the beginning of the 'handshake'-process.
This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure websites to be served off the same IP address without requiring all those sites to use the same certificate.
When making a TLS connection the client requests a digital certificate from the web server. Once the server sends the certificate, the client examines it and compares the name it was trying to connect to with the name included in the certificate.
If a match occurs the connection proceeds as normal. If a match is not found the user may be warned of the discrepancy and the connection may abort as the mismatch may indicate an attempted man-in-the-middle attack.
Because the number of IP addresses is limited, requiring every website to have its own IP address can cause problems in the long term. Server Name Indication (SNI) is the solution to this problem.
Browsers that support SNI will immediately communicate the name of the website the visitor wants to connect with during the initialisation of the secured connection, so that the server knows which certificate to send back.
Some older browsers/systems cannot support the technique. This is because the SSL/TLS library can be transmitted as part of the request and as part of the operating system.
Browser that support SNI
In order to use Server Name Indication, the SSL/TLS library must be able to support SNI through an application. Apart from that, the application must submit the hostname to the SSL/TLS library. While a number of browsers and servers still do not support SNI, most new webbrowsers and SSL/TLS libraries have already implemented SNI support.
The following browsers do offer support for SNI:
Internet Explorer 7 or higher, on Windows Vista or newer. Does not work on Windows XP and Internet Explorer 8
Mozilla Firefox 2.0 or higher
Opera 8.0 or higher (the TLS 1.1 protocol must be implemented)
Opera Mobile, version must be at least 10.1 beta on Android
Google Chrome (Windows Vista or newer, Windows XP requires Chrome 6 or higher, OS X 10.5.7 or newer requires Chrome 5.0.342.1 or higher)
Konqueror/KDE 4.7 or higher
MobileSafari for Apple iOS 4.0 or newer
Android standard browser on Honeycomb (v3.x) or higher
Windows Phone 7
MicroB on Maemo
Servers that Support SNI
Apache 2.2.12 or higher, must use mod_ssl
Apache Traffic Server 3.2.0 or higher
Cherokee, must have TLS support implemented
All versions of lighttpd 1.4.x and 1.5.x with patch, or 1.4.24 or higher without patch
Nginx with implemented OpenSSL with SNI support
F5 Networks Local Traffic Manager, version 11.1 or higher
G-WAN Web app. Server, must use OpenSSL with SNI support
LiteSpeed 4.1 or higher
Pound 2.6 or higher
Apache Tomcat on Java 7 or higher
Microsoft Internet Information Server IIS 8
Saetta Web Server via OpenSSL
Citrix NetScaler 9.2 or higher
HAProxy 1.5 or higher