Jun 8, 2017

What is SNI?

I felt like writing this post because I deal with this question quite a bit at my company. What is SNI? Well, in short, SNI is an acronym that stands for Server Name Indicator, or Server Name Indication. Wikipedia describes it as:

Server Name Indication (SNI) is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. The desired hostname is not encrypted, so an eavesdropper can see which site is being requested.
In a shorter, more concise explanation, SNI lets us bind multiple SSL certificates to one IP address. In the past, we used to have to bind an SSL certificate to a single IP address, and any additional SSL certificates would require their own IP address.

This is a real problem when you can see that IPv4 is running out of addresses! It also became a problem if you wanted to host multiple websites on a single web server. One web server might need eight or nine IP addresses to server up eight or nine different websites!

The reason I get asked about this a lot is we have several clients whose applications don't support SNI, and when they try to connect to our API that requires SNI, they get some sort of SSL error. We have a workaround for those clients, but I still find myself having to explain this to many of the people I work with (Often several times over).

The reason the clients that don't support SNI get SSL errors is that their application isn't smart enough to tell the web server which website they are trying to connect to by using the hostname at the start of the handshake process. Because they can't tell the web server which site they are trying to connect to, they are presented with whatever is the default certificate, which doesn't match the hostname, so they get a handshake error.

I see this a lot with Java based applications, but occasionally I see this with custom .Net applications as well. I guess this depends on if the developers have taken into account SNI or not.

I also see this a lot with DataPower/WebSphere clients, but DataPower can be configured for SNI. Check out this video:




All modern browsers support SNI, and in my opinion, all modern applications should too. If your application does not support it, then I would suggest lighting a fire under your development team's collective ass, and have them update your application to support it!



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam