Tags for this FAQ item:
Help us by rating this article!
Last updated: 14/01/2016
Server Name Indication is a recent extension to the TLS and SSL protocol allowing a browser to specify which host it's seeking connection with at the beginning of an HTTPS request. The main advantage of SNI is that multiple certificates can be bound to one IP address of the web server, whereas without SNI one separate IP address for each SSL-secured website is needed.
The HTTP protocol has sported the concept of name-based virtual hosting ever since version 1.1. In its initial request, the browser specifies what hostname it is seeking to connect to, and this host name is read by the web servers in the request headers the browser sends. When browsing over SSL, it's not possible to read the host header, since the SSL handshake and certificate retrieval happen before the browser's data are decrypted and made readable. As a a result, websites hosted on the same IP address are forced to use the same SSL certificate, or to have their own IP address each, which is no longer a viable option with the current depletion of IPv4 addresses.
SNI is an extension of the TLS protocol that sends the requested hostname as part of the SSL/TLS handshake. The webserver is then able to select the right website and present the right certificate to the browser.
As with all recent technologies, browser and server adoption of SNI is not universal yet. An estimated 15% of browsers has no SNI support at this moment, and those legacy browsers will get to see the default certificate of the website, and the probable mismatch between the certificate's hostname and the website's name.
The first option is to use a wildcard SSL certificate, which allows to identify a domain and all its subdomains on the same certificate. All browsers support wildcard SSL, but the downside is that this solution's only for hosting related domains, which isn't usually the case in a shared webhosting environment.
The second alternative is to install a SAN of multi-domain SSL certificate, which allows the hosting of disparate domain names. Certificate Authorities impose limits as to the maximum of domains on one certificate. The SAN certificate is also issued to one organisation only, so visitor's to a website will always see the hoster's company details in the certificate, and not the website owner's, which is hardly ideal.
Kinamo has implemented an innovative solution developed by GlobalSign, Cloud SSL, which offers the best of both worlds. In case the browser has support for SNI, the web site's certificate is presented, and in case there's no SNI support, the default server, that also contains the website's name, is shown to the browser. This even allows for the use of EV certificates with a green address bar on cloud hosting platform without sacrificing scarce IP addresses tp that end. When hosting in the Kinamo Cloud, Cloud SSL is offered to you free of charge, but one of the prerequisites of Cloud SSL is that you have to make use of either GlobalSign or AlphaSSL certificates issued through our services.