Server Name Indication (SNI)

About

Server_Name_Indication 1) is an extension to the TLS computer networking protocol (not SSL) by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.

Usage

Choosing the right public Server Certificate to serve

The server uses it to respond with a specific server certificate for this server name instead of the default deployed server certificate.

If the server requires client authentication the server can use a specific trusted CA certificate depending on the indicated server name.

SNI is more and more a requirement (all of Cloudflare FreeSSL works only with SNI) because it's part of the ACME challenge

It's the TLS’s equivalent of the HTTP Host header to serve multiple host virtual host

Choosing the right private key for client authentication

If client authentication is required, the private key associated with the found certificate is used to perform client authentication (cert-based authentication).

How does the SNI process work?

When SNI is active, if the client:

  • sends a server name:
    • the server uses the certificate CN or SAN DNS (Subject Alternative Name with DNS) to:
      • do an exact match, e.g www.example.com
      • match a wildcard name, e.g *.example.com
    • if a match:
      • is found, the certificate is returned
      • Otherwise, the first/default certificate is returned
  • does not send a server name,
    • the first/default certificate is returned

Example

with Openssl 

openssl s_client \
  -connect www.gerardnico.com:443 
  -servername gerardnico.com # sni settings

Support

Library

SNI is supported by all modern browsers, but outside of this it is not supported with older versions of:

  • Java (up to JDK6),
  • python (up to 2.7.9),
  • with some commonly used libraries on Android etc.

Proxy

Nginx supports it 2). The name is saved in the variable $ssl_server_name

3)

PKIX path building failed: unable to find valid certification

If the server cannot find the certificate to present, you will get this kind of error: 

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
1)
RFC6066, Server_Name_Indication
2)
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_server_name
3)
https://stackoverflow.com/questions/30691476/openssl-error-alert-handshake-failure




Discover More
Web Site Certificate
How to enable SSL on a server (ie HTTPS on a web server) ?

This page shows you how to configure a certificate and a private key for a server in order to enable SSL or a web server (http) (ie web site) in order to enable https (ie HTTP over SSL).
How to send an email at the command line with SMTP? Email transaction explained

This page is a how-to that describes how you can transport an email to a SMTP server at the command line using the SMTP protocol for further delivery It will show you the inner mechanisms of SMTP. Below...
Certificate Validity Period Not Before Not After Portecle
Identification Material - Certificate (or Public Key Certificate)

A certificate is a document which permits to define with certainty the owner of the private key (ensures that the party you are communicating with is whom you think.) because it's digitally signed A certificate...
Network Cryptographic (SSL/TLS)

Cryptographic in Network (SSL/TLS) in Cryptography. The cryptographic protocols are used to encrypt the data stream between a server (for instance a web server) and a client (for instance, a browser). There...
Openssl

openssl is a command line tool that: * permits testing, managing, and seeing what happens in a TLS world (ie new name for SSL) * can act as a network client/server * Obtain a valid Certificate...
Secure Sockets Layer (SSL)

SSL is a cryptographic protocol that enables secure communication between applications connected through the Web. TLS is the successor to SSL that brings for instance the server name in the loop. ...
What is ACME? Automatic Certificate Management Environment

ACME is a protocol that automates the issuance of domain validated certificate by a certification authority (CA) to an applicant. ACME is simple (It has almost been implemented in pure...
What is Hosting? (or hosted domains for HTTP, Email, )

Hosting is when the domains of a request are not directly associated with the machine's name. The domains are then called hosted. web hosting is when a web/http server is provided to you. You...
Ovh Virtual Hosting Subdomain
What is and how works a virtual host / custom domain / vanity hostnames

This article gives you an overview on how and where virtual hosting / custom domain is implemented.



Share this page:
Follow us:
Task Runner