{{announcement.body}}
{{announcement.title}}

What Is SNI and How Does It Work?

DZone 's Guide to

What Is SNI and How Does It Work?

Let's attempt to untangle the technology that is Server Name Indication (SNI).

· Security Zone ·
Free Resource

Want to know what is SNI and how it works? Well, you've come to the right place (not sure about the right time though). Quite often, this great technology goes under the radar, and that’s somewhat understandable. So, here we are doing what we always do – unscrambling the “technical” stuff.

Let’s get under the hood of the technology that is Server Name Indication.

HTTPS and IP Addresses: a Match NOT Made in Heaven

Let’s say you have five HTTP websites and you want to run them on a single IP address. What do you do? You use name-based hosts, that’s what. So, when a user requests a particular site out of five, it uses a unique HTTP header that includes hostname. In response, your server matches this header and paves the way to the requested website.

http client server interaction

However, this won’t work in the case of HTTPS. That’s because the HTTPS protocol uses an SSL/TLS handshake to enforce secure communications between the client (browser) and server. The HTTP header will only be sent once the handshake is over. As the server cannot see the information present in the HTTP header, it cannot possibly know which website to respond with.

How SNI Saved the Day (and Money!)

Before SNI was introduced, one had to purchase a unique IP address for every SSL certificate they had. This resulted in huge costs and expeditious consumption of IPv4 IP addresses. If not stopped, it would have led to rapid exhaustion of IPv4 IP addresses as there could only be around 4 billion IPv4 addresses. This depletion was inevitable, but the purpose was to delay it as much as possible to give the users enough time to migrate to IPv6, which can have around 340 undecillion (Yes, that’s a number!) unique IP addresses.

That’s why SNI had to be introduced.

SNI vs Non-SNI

Server Name Indication (SNI), an extension to the SSL/TLS protocol, allows multiple SSL certificates to be hosted on a single unique IP address. SNI does this by inserting the HTTP header (virtual domain) in the SSL/TLS handshake. As the server is able to see the virtual domain, it serves the client with the website he/she requested.

A win-win for everyone!

Is SNI Scalable?

The biggest and, perhaps, the only concern with SNI is its scalability. Initially, there weren’t many web browsers and servers supporting SNI technology. Today, that scenario has turned upside down. Almost 98 percent of the clients requesting an HTTPS-enabled site support SNI.

So, you don’t need to worry about losing your audience.

What Did We Learn?

  • TLS SNI allows running multiple SSL certificates on a single IP address.
  • SNI inserts the HTTP header in the SSL/TLS handshake so that the browser can be directed to the requested site.
  • Almost 98 percent of the clients requesting HTTPS support SNI.
  • SNI helps you save money as you don’t have to buy multiple IP addresses.
Topics:
web server ,ssl certificate ,server name indication ,sni ,https ,ip ,ip address ,security ,cybersecurity ,TLS

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}