Server_Name_Indication 1) is an extension to the TLS computer networking protocol (not SSL) by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.
The server uses it to respond with a specific server certificate for this server name instead of the default deployed server certificate.
If the server requires client authentication the server can use a specific trusted CA certificate depending on the indicated server name.
SNI is more and more a requirement (all of Cloudflare FreeSSL works only with SNI) because it's part of the ACME challenge
It's the TLS’s equivalent of the HTTP Host header to serve multiple host virtual host
If client authentication is required, the private key associated with the found certificate is used to perform client authentication (cert-based authentication).
When SNI is active, if the client:
with Openssl (libcrypto)
openssl s_client \
-connect www.gerardnico.com:443
-servername gerardnico.com # sni settings
SNI is supported by all modern browsers, but outside of this it is not supported with older versions of:
Nginx supports it 2). The name is saved in the variable $ssl_server_name
If the server cannot find the certificate to present, you will get this kind of error:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target