About
Server_Name_Indication 1) is an extension to the TLS computer networking protocol (not SSL) by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.
Usage
Choosing the right public Server Certificate to serve
The server uses it to respond with a specific server certificate for this server name instead of the default deployed server certificate.
If the server requires client authentication the server can use a specific trusted CA certificate depending on the indicated server name.
SNI is more and more a requirement (all of Cloudflare FreeSSL works only with SNI) because it's part of the ACME challenge
It's the TLS’s equivalent of the HTTP Host header to serve multiple host virtual host
Choosing the right private key for client authentication
If client authentication is required, the private key associated with the found certificate is used to perform client authentication (cert-based authentication).
How does the SNI process work?
When SNI is active, if the client:
- sends a server name:
- the server uses the certificate CN or SAN DNS (Subject Alternative Name with DNS) to:
- do an exact match, e.g www.example.com
- match a wildcard name, e.g *.example.com
- if a match:
- is found, the certificate is returned
- Otherwise, the first/default certificate is returned
- does not send a server name,
- the first/default certificate is returned
Example
with Openssl
openssl s_client \
-connect www.gerardnico.com:443
-servername gerardnico.com # sni settings
Support
Library
SNI is supported by all modern browsers, but outside of this it is not supported with older versions of:
- Java (up to JDK6),
- python (up to 2.7.9),
- with some commonly used libraries on Android etc.
Proxy
Nginx supports it 2). The name is saved in the variable $ssl_server_name
PKIX path building failed: unable to find valid certification
If the server cannot find the certificate to present, you will get this kind of error:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target