Server Name Indication (SNI): Use Multiple SSL Certificates on One IP

Jason Parms

TLS connection or SSL handshake process is based on the certificate and the domain name on which it is issued. When the client accesses the website, the client does the request for a digital certificate. The server in response sends a server certificate; the client then checks the name of the certificate and the domain name that it is trying to connect. If both names (certificate name and typed name in the browser) are same then the connection will be established. On contrary, it will show a warning message of failed connection. The mismatched connection indicates as the man-in-middle attack. Many users bypass this warning to continue with the connection.

To overcome this issue, SSL certificate points to IP address. Web servers using IP address can recognize that which web page the browser wants to connect with and the server then sends a right certificate.

Issue of Multiple IP Addresses

With growing number of IP address, it became problematic, as each website will need unique IP address. It will increase the cost of hosting in long run and will be difficult to handle multiple IP addresses. Moreover, SSL supports SAN and Wildcard feature so it became difficult for a server, as it should have the different certificate for each name. Finally, CA/Browser forum decided to bring in SNI (server name indication).

What is SNI (Server Name Indication)?

Server Name Indication (SNI) is an extension for SSL/TLS protocol. This extension allows the client to recognize the connecting hostname during the handshake process. SNI can be useful with modern web browsers and browsers that do not support SNI will have default certificate and shows a warning. At present, IPv6 addresses have replaced IPv4 to serve websites.

Browsers will deal with the exact domain name to which the visitor wants to connect with during secured SSL handshake. Therefore, the server knows very well that which right certificate it has to send back to the client. In that case, a server using a single IP address can serve a number of domain names for which purchasing a single certificate is not enough.

SNI allow to use multiple SSL Certificates on same IP

SNI permits a server to use different SSL certificates over the same IP address. Therefore, it serves correct certificates for those websites and delivers secured site to the customer. Each certificate is bind with particular FQDN, and with the help of SNI, the server picks the right certificate for the particular domain name.

Server Name Indication - SNI

What browsers support SNI?

Many old browsers do not support SNI feature while modern browsers and servers have implemented SNI support. Below is a required list of browsers and servers version to support SNI feature.

 Desktop Browsers
  • Internet Explorer 7 and later on Windows Vista and later
    Internet Explorer (any version) on Windows XP does not support SNI
  • Mozilla Firefox 2.0 and later
  • Opera 8.0 (2005) and later
    TLS 1.1 protocol must be enabled
  • Google Chrome:
    Supported on Windows Vista and later
    Supported on Windows XP on Chrome 6 and later
    Supported on OS X 10.5.7 on Chrome v5.0.342.1 and later
  • Safari 2.1 and later
    Supported on OS X 10.5.6 and later
    Supported on Windows Vista and later
 Mobile Browsers
  • Mobile Safari for iOS 4. and later
  • Android default browser on Honeycomb (v3.x) and later
  • Windows Phone 7

The use of SNI depends on the clients and their updated device status. Without SNI, a single IP address can manage a single host name. Earlier, the website owner has to pay the amount for IP address but with SNI, an organization does not need to spend the extra money and a single IP address is enough to multiple host names.

Related articles: