SSLMagic - SNI (Server Name Indication)

What is Server Name Indication & how does it work?

What Server Name Indication (SNI) means?

SNI(Server Name Indication) is surely like mailing a package deal to an apartment building rather to a house. When mailing something to someone’s house, the street address alone is enough to get the package deal to right person. But when a package deal goes to an apartment building, it wants the apartment number in addition to the street address; otherwise, the package deal would maybe no longer go to the proper individual or would perhaps no longer be delivered at all.

Many internet servers are more like apartment buildings than houses. They host numerous domain names. The IP address alone is no longer enough to point out which domain a consumer is trying to reach. This can end result in the server showing the wrong SSL certificate, which prevents or terminates an HTTPS connection. This is actually like package deal can’t be delivered to an address if the right individual does not sign for.

When more than one internet sites are hosted on one server and share a single IP address. Every website has its private SSL certificate. The server may also no longer understand which Code Signing SSL certificate to exhibit when a purchaser device tries to securely connect to one of the websites. This reason is SSL/TLS handshake occurs earlier than the purchaser device indicates over HTTP which internet site it is connecting to.

Server Name Indication (SNI) is designed to resolve this problem. SNI is an extension for the TLS protocol (formerly recognized as the SSL protocol), which is used in HTTPS. It’s covered in the TLS/SSL handshake method in order to make certain that customer devices are capable to see the right Thawte SSL certificate for the internet site they are attempting to reach. The extension makes it suitable for specifying the hostname, or domain name, of the website all through the TLS handshake. It is better instead of when the HTTP connection opens after the handshake.

More simply put, Server Name Indication makes it feasible for a user device to open a secure connection with even if that website is hosted in the equal place (same IP address) as,, and

SNI prevents what’s recognized as a “common name mismatch error”: when a customer (user) device reaches the right IP address for a website, however the name on the SSL certificates does not fit the name of the website. Often this form of error effects in a “Your connection is no longer private” error message in the user’s browser.

SNI was once brought as an extension to TLS/SSL in 2003; it was no longer initially a section of the protocol. Almost all browsers, operating systems, and web servers support it.  Few exceptions are of some of the very oldest browsers and operating systems that are nevertheless in use.

What is a server name?

Although SNI stands for Server Name Indication, what SNI virtually “depicts” is a website’s hostname or domain name. This can be separate from the name of the internet server that is actually web hosting the domain. In fact, it is common for multiple domains to be hosted on one server – in which case they are referred to as virtual hostnames.

A server name is actually the name of a computer. For web servers this name is usually no longer visible to end users except the server hosts only one domain and the server name is equal to the domain name.

What does the TLS SNI extension do?

Often an internet server is responsible for multiple hostnames – or domain names (which are the human-readable names of websites). Each hostname will have its very own SSL certificate if the web sites use HTTPS.

The hassle is, all these hostnames on one server are at the same IP address. This isn’t always a problem over HTTP, because as soon as a TCP connection is opened the customer will point out which website they’re trying to reach in an HTTP request.

But in HTTPS, a TLS handshake takes place first, earlier than the HTTP dialog can commence (HTTPS still uses HTTP – it simply encrypts the HTTP messages). Without Server Name Indication, then, there is no way for the consumer to point out to the server which hostname they’re speaking to. As a result, the server may also produce the SSL certificates for the incorrect hostname. If the identify on the SSL certificate does no longer match the name the customer is making an attempt to reach, the client browser returns an error and generally terminates the connection.

Server Name Indication provides the domain name to the TLS handshake process. It allows the TLS procedure reaches the proper domain name and receives the right SSL certificate. This enables the rest of the TLS handshake to proceed as it normally does.

Specifically, SNI consists of the hostname in the Client Hello message, or the very first step of a TLS handshake.

What is a hostname? What is a virtual hostname?

A hostname is the name of a device that connects to a network. In the reference to Internet, a domain name, or the website name, is a kind of hostname. Both are separate from the IP address related with the domain name.

A virtual hostname is a hostname that does not have its very own IP address and is hosted on a server alongside with different hostnames. It is “virtual” in that it does not have a dedicated physical server, simply as virtual reality exists only digitally, no longer in the physical world.

What occurs if a user’s browser does not support SNI?

In this uncommon case, the consumer will probably be unable to reach certain websites, and the user’s browser will return an error message like “Your connection is no longer private.”

The large majority of browsers and operating systems support SNI. Only very old versions of Internet Explorer, old versions of the BlackBerry working system, and other out of date software program versions do no longer support Server Name Indication

Leave a Comment

Your email address will not be published. Required fields are marked *