What is Server Name Indication (SNI) – How Does It Work?
According to Akamai, More Than 98% of Clients That Requests HTTPS Supports SNI
If you’re aware of the SSL/TLS certificate, then there’s a chance you might have come across word SNI (Server Name Indication). So, if you’re questioning what’s SNI, then you’re not alone. Many have the same problem. And SNI (Server Name Indication) is also one of the important aspects of SSL that many times gets on the radar, so it’s best you know about it too.
Let’s get into details and understand what it really means and how does it work.
What’s SNI & How SNI Works?
For example, SNI helps the browser creating a secure connection with a website like https://www.itsanexample.com/. Even if it’s hosted on the same IP address where other websites are hosted like https://itsadifferentexample.com/, https://onemore-example.com/.
SNI helps prevent errors like“common name mismatch error” that’s often found whenever a client reaches the right IP address of the website they’re trying to visit, but the name on the SSL/TLS certificate doesn’t match with the name of the website. And the user gets an error message like “Your connection is not private” in their browser.
Let’s Understand More Clearly About SNI Using Analogy of Apartment & House
You can consider, SNI is something like sending a parcel to an apartment building rather than a house. Whenever any parcel is sent to someone’s house, the street address will be enough to get that parcel delivered to the right person. On the other hand, if the parcel has to be sent to an apartment building, apart from the street address, an apartment number will also be needed, or else there’s no guarantee that the parcel might be delivered to the right person. At worse, it might not get delivered at all.
Here, most of the web servers are similar to apartment buildings instead of houses. One server is used for hosting multiple domain names. So, the IP address alone won’t indicate which domain the user is trying to reach. Because it can result in the server displaying the wrong SSL/TLS certificate, that will prevent or terminate an HTTPS connection something similar to parcel didn’t get delivered to a given address, as the correct person wasn’t available to sign for it.
Benefits of SNI in Regards With SSL/TLS Certificate
Go through this article and know how SNI differs from IP SSL/TLS Certificate.
What’s a Server Name?
Put simply, the server name is the name of a computer. For web servers, the server name is usually not visible to visitors unless they host only a single domain. And, that server name is similar to the domain name that’s hosted on the server.
Here’s What SSL/TLS Extension SNI Does
Here, the issue arises as all the hostnames are on one server at the same IP address. If there’s an HTTP connection, there won’t be an issue because once the TCP connection opens, the client will indicate the website they’re trying to reach in an HTTP request.
But when it comes to HTTPS connection, firstly, TLS handshake gets initiated before starting HTTP connection (HTTPS uses HTTP, though it’s used for encrypting the HTTP messages). And, without SNI, the client will fail to indicate to the server which hostname they’re talking to, which can often result in the server producing the SSL/TLS certificate for the wrong hostname.
If the name on the SSL/TLS certificate fails to match with the name the client is trying to reach, the client browser will throw an error message as mentioned above and terminate the connection.
As mentioned earlier, SNI helps to add a domain name to the TLS handshake process. To be more precise, SNI adds the hostname in the Client Hello message or the first step in an SSL/TLS handshake process.
What’s a Hostname and Virtual Hostname
Put simply, a hostname is a device that’s used for connecting to a network. In terms of the Internet, a domain name or the name of a website is called a hostname. And hostname is different from the IP address associated with the domain name.
On the other hand, virtual hostnames are those hostnames that don’t have their own IP address and are hosted on a server with other hostnames. In other words, here virtual means there’s not any dedicated physical server associated with it. It means it exists only virtually in digital format and not physically as an actual server does.
Is SNI Similar to SAN (Multi-Domain) SSL/TLS Certificate?
For many, SNI and multi-domain SSL/TLS certificate might look the same, but they’re different from each other, even if they allow you to do the same thing. As mentioned, SNI lets you host more than one SSL/TLS certificate for multiple websites under one single IP address. It means every website has its own SSL/TLS certificate.
Multi-domain SSL/TLS certificate (SAN) lets you secure multiple websites with one SSL/TLS certificate under one single IP address.
Hence, it becomes possible to use both SNI and SAN simultaneously. If you’re looking to secure multiple websites using a single SSL/TLS certificate, then SAN SSL/TLS certificate is the option to go for. If you want to use different SSL/TLS certificates for every single website, then SNI is the answer.
Is SNI Scalable? Does Web Browsers Support It?
At the time it was invented, yes, there was concern regarding its scalability. But as time passed by, many browsers and servers started supporting SNI technology. And in a recent 2017 Akamai report, it was mentioned that more than 98% of the clients that request an HTTPS connection support SNI.
Which Browsers Support SNI?
Desktop Web Browsers
- Mozilla Firefox (Windows, Linux, Mac)
- Google Chrome (Windows, Linux Mac)
- Safari (Windows, Mac)
- Opera (Windows, Linux, Mac)
- Internet Explorer
- Microsoft Edge
- Konqueror (KDE) 4.7 or above
Mobile Web Browsers
- Mobile Safari for iOS 4 and above
- Windows Phone 7
- For Android Honeycomb (v3.x) and above default browser