Server Name Indication (SNI)

Imagine you have a big box with many smaller boxes inside, each for different friends. When someone wants to open one of the smaller boxes, they need to tell you which friend’s box they want. That’s what SNI does for websites on a server.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol that allows a client to specify the hostname it wants to connect to at the start of the TLS handshake process. This is particularly useful when multiple websites are hosted on the same IP address, allowing the server to present the correct SSL/TLS certificate for the requested hostname.

How SNI Works

1. Client Hello:
   • When a client (e.g., a web browser) connects to a server, it initiates the TLS handshake by sending a “Client Hello” message.
   • The SNI extension is included in this message, specifying the hostname of the website the client wants to connect to.
2. Server Response:
   • The server reads the SNI hostname from the “Client Hello” message.
   • The server selects the appropriate SSL/TLS certificate for that hostname and sends it to the client as part of the TLS handshake.
3. Secure Connection:
   • Once the correct certificate is provided, the TLS handshake continues, and a secure connection is established between the client and the server.

Importance of SNI

1. Hosting Multiple SSL Certificates:
   • Allows hosting multiple SSL certificates on a single IP address, enabling secure connections for multiple domains.
2. Cost Efficiency:
   • Reduces the need for multiple IP addresses, lowering costs for hosting providers and businesses.
3. Simplified Configuration:
   • Simplifies the configuration and management of SSL certificates for websites hosted on the same server.

Example: How SNI is Used by Big Companies

Cloudflare: Cloudflare uses SNI to provide SSL/TLS protection for websites on their content delivery network. This allows them to secure multiple websites hosted on the same IP address with different SSL certificates.

Amazon Web Services (AWS): AWS uses SNI in services like Amazon CloudFront and Elastic Load Balancing to enable secure connections for multiple domains on a single server or load balancer.

Technical Details

• Protocols: SNI is an extension to the TLS protocol and is supported in TLS 1.0, 1.1, 1.2, and 1.3.
• Implementation: Supported by most modern web browsers and servers, including Apache, Nginx, and Microsoft IIS.

SNI Handshake Example

1. Client Hello:
   • Client sends a “Client Hello” message with the SNI extension specifying “example.com”.
2. Server Hello:
   • Server recognizes “example.com” and sends the corresponding SSL certificate.
3. Key Exchange:
   • Client and server exchange keys and establish a secure session.
4. Secure Connection:
   • Client and server communicate securely using the established session.

References

• SSL/TLS and SNI Overview
• RFC 6066 - TLS Extensions
• AWS Elastic Load Balancing - SNI