×

Get your FREE copy of "The Ultimate Guide of SSL"

Download Ebook

What is Server Name Indication (SNI) – How Does It Work?

According to Akamai, More Than 98% of Clients That Requests HTTPS Supports SNI

If you’re aware of the SSL/TLS certificate, then there’s a chance you might have come across word SNI (Server Name Indication). So, if you’re questioning what’s SNI, then you’re not alone. Many have the same problem. And SNI (Server Name Indication) is also one of the important aspects of SSL that many times gets on the radar, so it’s best you know about it too.

what is sni how it works
Put simply, SNI allows multiple sites to exist on the same IP address. The main benefit it offers is that, due to SNI, the hostname doesn’t require its IP address to install an SSL certificate.

Let’s get into details and understand what it really means and how does it work.

What’s SNI & How SNI Works?

Originally SNI (Server Name Indication) wasn’t part of the SSL protocol. But later, in 2003, it was added as an extension to SSL/TLS protocol and used in HTTPS. It’s included during the process of SSL/TLS Handshake for ensuring that client devices see the correct SSL/TLS certificate for the website they’re trying to visit.

For example, SNI helps the browser creating a secure connection with a website like https://www.itsanexample.com/. Even if it’s hosted on the same IP address where other websites are hosted like https://itsadifferentexample.com/, https://onemore-example.com/.

standard tls handshake vs tls handshake with sni
In other words, the client specifies the hostname they’re looking to connect with using the SNI extension at the time of the TLS handshake process. It allows a server like Apache, Nginx, or a loadbalancer like HAProxy to select the right private key and certificate chain needed to form the connection from a database or list from a single IP address that’s hosting all certificate. Whenever SNI is used, the server’s hostname is included in the TLS handshake, too, and enables HTTPS websites to have their unique TLS certificates, even if they’re on a shared IP address.

SNI helps prevent errors like“common name mismatch error” that’s often found whenever a client reaches the right IP address of the website they’re trying to visit, but the name on the SSL/TLS certificate doesn’t match with the name of the website. And the user gets an error message like “Your connection is not private” in their browser.

Let’s Understand More Clearly About SNI Using Analogy of Apartment & House

You can consider, SNI is something like sending a parcel to an apartment building rather than a house. Whenever any parcel is sent to someone’s house, the street address will be enough to get that parcel delivered to the right person. On the other hand, if the parcel has to be sent to an apartment building, apart from the street address, an apartment number will also be needed, or else there’s no guarantee that the parcel might be delivered to the right person. At worse, it might not get delivered at all.

Here, most of the web servers are similar to apartment buildings instead of houses. One server is used for hosting multiple domain names. So, the IP address alone won’t indicate which domain the user is trying to reach. Because it can result in the server displaying the wrong SSL/TLS certificate, that will prevent or terminate an HTTPS connection something similar to parcel didn’t get delivered to a given address, as the correct person wasn’t available to sign for it.

Benefits of SNI in Regards With SSL/TLS Certificate

Before SNI, it wasn’t possible to host multiple SSL/TLS certificates on a single IP address. So, there wasn’t an option, and you had to purchase a separate IP address for every SSL/TLS certificate installed website you wanted to host on your web server, and because of this, it was costly too. Due to this issue, IPV4 IP addresses that weren’t many and limited (only four billion) started getting used rapidly. And, it posed a huge danger to exhaustion of IPV4 addresses. And, to avoid exhaustion and to have enough time for everyone to migrate to IPV6, SNI got invented. Now, because of this SNI, we have more than 340 undecillions unique IPV6 IP addresses, which is more than enough for now.

Go through this article and know how SNI differs from IP SSL/TLS Certificate.

What’s a Server Name?

Though SNI is an acronym of Server Name Indication, SNI means the hostname of a website or a domain name, and it can be separate from the name of the webserver which hosts the domain. It’s quite common for one server to host multiple websites, and in that case, it’s known as virtual hostnames.

Put simply, the server name is the name of a computer. For web servers, the server name is usually not visible to visitors unless they host only a single domain. And, that server name is similar to the domain name that’s hosted on the server.

Here’s What SSL/TLS Extension SNI Does

Most of the time, web servers are responsible for handling multiple hostnames or domain names (website name in a human-readable format). And every hostname also has its SSL/TLS certificate installed for a secure HTTPS connection.

Here, the issue arises as all the hostnames are on one server at the same IP address. If there’s an HTTP connection, there won’t be an issue because once the TCP connection opens, the client will indicate the website they’re trying to reach in an HTTP request.

But when it comes to HTTPS connection, firstly, TLS handshake gets initiated before starting HTTP connection (HTTPS uses HTTP, though it’s used for encrypting the HTTP messages). And, without SNI, the client will fail to indicate to the server which hostname they’re talking to, which can often result in the server producing the SSL/TLS certificate for the wrong hostname.

If the name on the SSL/TLS certificate fails to match with the name the client is trying to reach, the client browser will throw an error message as mentioned above and terminate the connection.

As mentioned earlier, SNI helps to add a domain name to the TLS handshake process. To be more precise, SNI adds the hostname in the Client Hello message or the first step in an SSL/TLS handshake process.

What’s a Hostname and Virtual Hostname

Put simply, a hostname is a device that’s used for connecting to a network. In terms of the Internet, a domain name or the name of a website is called a hostname. And hostname is different from the IP address associated with the domain name.

On the other hand, virtual hostnames are those hostnames that don’t have their own IP address and are hosted on a server with other hostnames. In other words, here virtual means there’s not any dedicated physical server associated with it. It means it exists only virtually in digital format and not physically as an actual server does.

Is SNI Similar to SAN (Multi-Domain) SSL/TLS Certificate?

For many, SNI and multi-domain SSL/TLS certificate might look the same, but they’re different from each other, even if they allow you to do the same thing. As mentioned, SNI lets you host more than one SSL/TLS certificate for multiple websites under one single IP address. It means every website has its own SSL/TLS certificate.

Multi-domain SSL/TLS certificate (SAN) lets you secure multiple websites with one SSL/TLS certificate under one single IP address.

Hence, it becomes possible to use both SNI and SAN simultaneously. If you’re looking to secure multiple websites using a single SSL/TLS certificate, then SAN SSL/TLS certificate is the option to go for. If you want to use different SSL/TLS certificates for every single website, then SNI is the answer.

Is SNI Scalable? Does Web Browsers Support It?

At the time it was invented, yes, there was concern regarding its scalability. But as time passed by, many browsers and servers started supporting SNI technology. And in a recent 2017 Akamai report, it was mentioned that more than 98% of the clients that request an HTTPS connection support SNI.

Which Browsers Support SNI?

According to the Akamai report, most modern browsers support SNI, but we’ve listed desktop and mobile web-browsers that support. So, if you’re not sure whether it works or not or does your installed chrome support SNI, you can find through the below-mentioned list:

Desktop Web Browsers

  • Mozilla Firefox (Windows, Linux, Mac)
  • Google Chrome (Windows, Linux Mac)
  • Safari (Windows, Mac)
  • Opera (Windows, Linux, Mac)
  • Internet Explorer
  • Microsoft Edge
  • Konqueror (KDE) 4.7 or above

Mobile Web Browsers

  • Mobile Safari for iOS 4 and above
  • Windows Phone 7
  • For Android Honeycomb (v3.x) and above default browser
For more detailed information on which desktop or mobile browser supports SNI, visit here at the Wikipedia page.

What Happens if Installed Web Browser Don’t Support SNI?

If you’re using the latest available web-browser, you won’t face this issue as all of them support SNI. In certain scenarios like, if you’re using an old computer, older version of Internet Explorer. Older BlackBerry OS version or other outdated software versions, then there’s a possibility you won’t be able to open some modern-day websites, which use the latest HTTPS configurations. And your browser will likely display an error message such as “Your connection is not private.”

Wrapping Up

Nowadays, SNI is not unheard of, and most modern browsers use this technology. But, if you’re not aware of it and have questions, what does it mean and as a website owner, do you’ve to look into it specifically, or else how it works? Then here we’ve detailed out regarding the same. Simply go through the article and know in detail what SNI means, it’s working, which web browsers support it, and what could happen if your installed browser is not compatible.
Disclosure: AboutSSL appreciates your continuous support. It helps us tremendously to keep moving in the competitive SSL industry. Here most of the links which direct you to buy any SSL/TLS related service or products earns us a certain percentage of referral commission. Learn More
Download Site Seal