Context: IIS website with hostname header configured and TLS certificate.
When a client initiates a connection to the specified site, is this the right flow ?
- Client (browser) performs DNS lookup
- TCP connection is established to the server
- Client (browser) constructs the TLS payload where it include the SNI which is the site name and begins the handshake with the server
- Server looks for the certificate with the specified name in its site bindings list of certificates and responds back
- Once TLS is established, the IIS webserver routes the HTTP request to the specific site using the HOST header value.
As per my understanding, the SNI is the base information for the server to lookup for the certificate of the site.
What does it happen if after the TLS handshake I actually modify the HTTP Host header to target a different website ? Is this possible ?