TLS connection or SSL handshake process is based on the certificate and the domain name on which it is issued. When the client accesses the website, the client does the request for a digital certificate. The server in response sends a server certificate; the client then checks the name of the certificate and the domain name that it is trying to connect. If both names (certificate name and typed name in the browser) are same then the connection will be established. On contrary, it will show a warning message of failed connection. The mismatched connection indicates as the man-in-middle attack. Many users bypass this warning to continue with the connection.
To overcome this issue, SSL certificate points to IP address. Web servers using IP address can recognize that which web page the browser wants to connect with and the server then sends a right certificate.
Issue of Multiple IP Addresses:
With growing number of IP address, it became problematic, as each website will need unique IP address. It will increase the cost of hosting in long run and will be difficult to handle multiple IP addresses. Moreover, SSL supports SAN and Wildcard feature so it became difficult for a server, as it should have the different certificate for each name. Finally, CA/Browser forum decided to bring in SNI (server name indication).
What is SNI?
Server Name Indication (SNI) is an extension for SSL/TLS protocol. This extension allows the client to recognize the connecting hostname during the handshake process. SNI can be useful with modern web browsers and browsers that do not support SNI will have default certificate and shows a warning. At present, IPv6 addresses have replaced IPv4 to serve websites.
Browsers will deal with the exact domain name to which the visitor wants to connect with during secured SSL handshake. Therefore, the server knows very well that which right certificate it has to send back to the client. In that case, a server using a single IP address can serve a number of domain names for which purchasing a single certificate is not enough.
SNI permits a server to use different SSL certificates over the same IP address. Therefore, it serves correct certificates for those websites and delivers secured site to the customer. Each certificate is bind with particular FQDN, and with the help of SNI, the server picks the right certificate for the particular domain name.
Browsers and SNI:
Many old browsers do not support SNI feature while modern browsers and servers have implemented SNI support. Below is a required list of browsers and servers version to support SNI feature.
Browsers Requirement:
- Internet Explorer ≥7.0 for Windows Vista or newer
- Mozilla Firefox ≥2.0
- Opera ≥ 8.0 (Minimum TLS 1.1 protocol)
- Opera Mobile, version10.1 on Android
- Google Chrome (Windows Vista or newer)
- Konqueror/KDE ≥4.7
- MobileSafari for Apple iOS ≥4.0
- Windows Phone 7
- MicroB on Maemo
- Android Honeycomb 3.0 for tablets and Ice Cream Sandwich (4.x) for phones
Server Requirement:
- Apache ≥2.2.12 (use mod_ssl)
- Apache Traffic Server ≥3.2.0
- Cherokee must have TLS support
- Lighttpd 1.4.x and 1.5.x with patch, or ≥1.4.24 without patch
- Nginx with OpenSSL and SNI support
- F5 Networks Local Traffic Manager, version ≥11.1
- G-WAN Web application server with OpenSSL and SNI support
- LiteSpeed ≥4.1
- Pound ≥2.6
- Apache Tomcat on Java ≥7
- Microsoft Internet Information Server IIS 8
- Saetta Web Server via OpenSSL
- Citrix NetScaler ≥ 9.2
- HAProxy ≥ 1.5
Note:
- Internet Explorer versions on Windows XP works with SNI feature and users will face certificate warning.
- Android Gingerbread (2.3) does not support SNI feature.
The use of SNI depends on the clients and their updated device status. Without SNI, a single IP address can manage a single host name. Earlier, the website owner has to pay the amount for IP address but with SNI, an organization does not need to spend the extra money and a single IP address is enough to multiple host names.
