Server Name Indication (SNI)

Server Name Indication is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.

The most import reason to have this extension is to allow a server to present multiple SSL web site, or multiple certificates on the same IP address and TCP port number. So one IP address can serve more than one HTTPS web sites.

This extension insert the host name in the very first request sending from client Hello header. The standard TLS will send host name after handshaking.

TLS handshake using SNI

Supported Browsers and Servers:

The following browsers do offer support for SNI:

  • Internet Explorer 7 or higher, on Windows Vista or newer. Does not work on Windows XP and Internet Explorer 8
  • Mozilla Firefox 2.0 or higher
  • Opera 8.0 or higher (the TLS 1.1 protocol must be implemented)
  • Opera Mobile, version must be at least 10.1 beta on Android
  • Google Chrome (Windows Vista or newer, Windows XP requires Chrome 6 or higher, OS X 10.5.7 or newer requires Chrome 5.0.342.1 or higher)
  • Konqueror/KDE 4.7 or higher
  • MobileSafari for Apple iOS 4.0 or newer
  • Android standard browser on Honeycomb (v3.x) or higher
  • Windows Phone 7
  • MicroB on Maemo
  • Safari 3.0 or later (Mac OS X 10.5 or higher and Windows Vista or higher)

The following servers do offer support for SNI:

  • Apache 2.2.12 or higher, must use mod_ssl
  • Apache Traffic Server 3.2.0 or higher
  • Cherokee, must have TLS support implemented
  • All versions of lighttpd 1.4.x and 1.5.x with patch, or 1.4.24 or higher without patch
  • Nginx with implemented OpenSSL with SNI support
  • F5 Networks Local Traffic Manager, version 11.1 or higher
  • G-WAN Web app. Server, must use OpenSSL with SNI support
  • LiteSpeed 4.1 or higher
  • Pound 2.6 or higher
  • Apache Tomcat on Java 7 or higher
  • Microsoft Internet Information Server IIS 8
  • Saetta Web Server via OpenSSL
  • Citrix NetScaler 9.2 or higher
  • HAProxy 1.5 or higher

There are more and more SSL supported websites, but IP v4 is limited. So SNI is getting more important than before.