What is Server Name Indication (SNI)?

Last updated: 14/06/2018

What is SNI?

Server Name Indication is a recent extension to the TLS and SSL protocol allowing a browser to specify which host it's seeking connection with at the beginning of an HTTPS request. The main advantage of SNI is that multiple certificates can be bound to one IP address of the web server, whereas without SNI one separate IP address for each SSL-secured website is needed.

How does SNI work?

The HTTP protocol has sported the concept of name-based virtual hosting ever since version 1.1. In its initial request, the browser specifies what hostname it is seeking to connect to, and this host name is read by the web servers in the request headers the browser sends.
When browsing over SSL, it's not possible to read the host header, since the SSL handshake and certificate retrieval happen before the browser's data are decrypted and made readable. As a a result, websites hosted on the same IP address are forced to use the same SSL certificate, or to have their own IP address each, which is no longer a viable option with the current depletion of IPv4 addresses.

SNI is an extension of the TLS protocol that sends the requested hostname as part of the SSL/TLS handshake. The webserver is then able to select the right website and present the right certificate to the browser.

The caveats when using SNI

As with all recent technologies, browser and server adoption of SNI is not universal yet. An estimated 15% of browsers has no SNI support at this moment, and those legacy browsers will get to see the default certificate of the website, and the probable mismatch between the certificate's hostname and the website's name. Nowadays, modern browsers support SNI. It is merely a problem of older browsers on smartphones, or older operating systems.

What's the workaround?

Wildcard SSL

The first option is to use a wildcard SSL certificate, which allows to identify a domain and all its subdomains on the same certificate. All browsers support wildcard SSL, but the downside is that this solution's only for hosting related domains, which isn't usually the case in a shared webhosting environment.

SAN SSL

The second alternative is to install a SAN of multi-domain SSL certificate, which allows the hosting of disparate domain names. Certificate Authorities impose limits as to the maximum of domains on one certificate. The SAN certificate is also issued to one organisation only, so visitor's to a website will always see the hoster's company details in the certificate, and not the website owner's, which is hardly ideal.