Server_Name_Indication 1) is an extension to the TLS computer networking protocol (not SSL) by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.
Choosing the right public Server Certificate to serve
If the server requires client authentication the server can use a specific trusted CA certificate depending on the indicated server name.
SNI is more and more a requirement (all of Cloudflare FreeSSL works only with SNI) because it's part of the ACME challenge
Choosing the right private key for client authentication
How does the SNI process work?
When SNI is active, if the client:
- sends a server name:
- does not send a server name,
- the first/default certificate is returned
openssl s_client \
-servername gerardnico.com # sni settings
SNI is supported by all modern browsers, but outside of this it is not supported with older versions of:
- Java (up to JDK6),
- python (up to 2.7.9),
- with some commonly used libraries on Android etc.
Nginx supports it 2). The name is saved in the variable $ssl_server_name
PKIX path building failed: unable to find valid certification
If the server cannot find the certificate to present, you will get this kind of error:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target