Previously, every website required dedicated IP address to install an SSL certificate. However, the limitation of the number of IP addresses has triggered a requirement of SNI (Server Name Indication), which is a TLS protocol extension.
Requirement of SNI:
During the handshake, the browser asks for a digital certificate and the server has to send back the right certificate. If the name on the certificate is not matched with the desired webpage that the browser wished for, then it will show a warning message of failed connection. This dilemma leads to a perfect solution and helps the browser and the client to establish a successful connection.
How SNI Works:
Browsers that hold SNI will instantly communicate the website name that the visitor wants to connect in the beginning of the secured connection, as a result, the server easily knows and sends back the desired certificate. Even a visitor of the website will not be able to notice any difference in website loading time. Running multiple SSL certificates on a single IP address was quite difficult before few days, but Server Name Indication (SNI) has solved this problem. SNI is not a common practice because old browsers and OS do not support it. SNI also reduces the warning message arise out of failed connection with the website. A failed connection could also indicate man-in-the-middle attack.
Works on Different Scenario:
SNI technology has also resolved below scenarios while fixing SSL on website.
Multiple SSL on single IP Address:
With the help of SNI, you can also host multiple SSL on single IP address, strange but it is true. It means you have a www.domain.com, which you can use on multiple servers with the use of a private key. It also saves money and provides relief from buying multiple IP addresses for HTTPS websites.
Single SSL on multiple servers.
At the time of requesting a certificate, you have to generate private key on single server and then you have to paste it on others. You do not need to secure every server with different SSL certificate, so it will reduce certificate administration cost.
Browsers Support SNI:
Most renowned web browsers support SNI extension, including:
- Internet Explorer 7+ on Windows Vista or newer.
- Mozilla Firefox 2.0+
- Opera 8.0+ (the TLS 1.1 protocol is required)
- Opera Mobile, (10.1 beta version on Android)
- Google Chrome (Windows Vista or newer, Windows XP requires Chrome 6 or higher, OS X 10.5.7 or newer requires Chrome 5.0.342.1 or higher)
- Konqueror/KDE 4.7+
- Mobile Safari for Apple iOS 4.0 or newer
- Android standard browser on Honeycomb (v3.x) or higher
- Windows Phone 7
- MicroB on Maemo
Server Support SNI:
Many servers support SNI mentioned in below list:
- Apache 2.2.12+, must use mod_ssl
- Apache Traffic Server 3.2.0+
- Cherokee (TLS support required)
- All versions of lighttpd 1.4.x and 1.5.x with patch, or 1.4.24+ without patch
- Nginx (required OpenSSL along with SNI support)
- F5 Networks Local Traffic Manager, version 11.1+
- G-WAN Web app. Server (required OpenSSL along with SNI support)
- LiteSpeed 4.1+
- Pound 2.6+
- Apache Tomcat on Java 7+
- Microsoft Internet Information Server IIS 8
- Saetta Web Server via OpenSSL
- Citrix NetScaler 9.2+
- HAProxy 1.5+
SNI helps to get the rid from difficulty in sending the required domain name to the browser amid multiple domain names. Long ago, organization has to pay for an extra amount for IP address, but with SNI, a single IP address can host multiple SSL certificates with no extra payment of cost. The only condition is, your hosting provider should support an SNI technology.