What is SNI (Server Name Indication)?

messi62

Server Name Indication (SNI) is an important part of the TLS protocol that allows multiple sites with different SSL certificates to share a single IP address. This eliminates the need for separate IP addresses for each domain, making web hosting more efficient and cost-effective. Before SNI, hosting SSL-protected sites required multiple IP addresses, which increased costs and complexity. Now, companies can secure multiple domains on a single server.

In this article, we will explain what SNI is, how it works, what its benefits are, and why it has become necessary for effectively hosting secure websites.

Table of contents

What is SNI (Server Name Indication)?
How does server name indication work?
The problem SNI solves
History and development of SNI
Benefits of using SNI
SNI and SSL/TLS Certificates
SNI Compatibility Issues
Security and Privacy Concerns Related to SNI
What is SNI (Server Name Indication)?
Server Name Indication (SNI) is an extension of the mobile app development service Transport Layer Security (TLS) protocol . It allows a client, such as a web browser, to specify the name of the domain it is attempting to contact during the TLS handshake. This process allows a web server to host multiple domains with individual SSL/TLS certificates on a single IP address.

Without SNI, servers would not know which certificate to present, which could result in an error that prevents the connection from being established. SNI plays an important role in solving this problem by indicating which domain the client is connecting to before the connection is fully established.

How does server name indication work?
SNI is part of the TLS handshake process that occurs when a client (such as a browser) attempts to establish a secure connection with a server. Here's a description of how it works:




The client sends a Client Hello message to the server , which contains an SNI extension indicating the name of the domain to which it is attempting to connect.
The server looks at the SNI field and selects the appropriate SSL/TLS certificate based on the requested domain name.
Once the certificate is presented, the TLS handshake proceeds as normal, ensuring the connection is encrypted and secure.
This process prevents the “common name mismatch” error when the SSL certificate does not match the domain name the client is trying to access. SNI ensures that the correct certificate is presented for each domain located on the same IP address.

The problem SNI solves
Before SNI, web servers required separate IP addresses for each domain using its own SSL certificate. This was a major problem, especially as IPv4 addresses were depleted . Since IPv4 is limited to approximately 4.3 billion unique addresses, many hosting providers were trying to host multiple domains on a limited number of IP addresses.