Questions tagged [sni]

Server Name Indication(SNI) is an extension of Transport Layer Security which allows multiple secure web sites, with separate certificates, to be hosted at the same IP address

Server Name Indication addresses a common issue where websites with an SSL certificate had to live on separate IPs. This exacerbated the IPv4 shortage, as well as defeated the purpose of virtual hosting, where multiple non-secured sites could share the same IP (note that websites sharing a common certificate can always share an IP).

SNI is based on IETF RFC 4366, which, as part of Transport Layer Security(TLS), allowed the hostname to be sent in the initial stages of the TLS handshake. This allowed websites with different certificates to be hosted on the same IP.

SNI is supported by all major browsers and all major web servers. It requires OpenSSL 0.9.8f or later

Browser Support

  • Mozilla Firefox 2.0 or later
  • Opera 8.0 or later (with TLS 1.1 enabled)
  • Internet Explorer 7.0 or later (on Vista, not XP)
  • Google Chrome
  • Safari 3.2.1 on Mac OS X 10.5.6

Server Support

  • Apache v2.2.12 or later
  • Nginx 0.5.32 or later
  • IIS 8.0 or later
179 questions
110
votes
5 answers

Multiple SSL domains on the same IP address and same port?

This is a Canonical Question about Hosting multiple SSL websites on the same IP. I was under the impression that each SSL Certificate required it's own unique IP Address/Port combination. But the answer to a previous question I posted is at odds…
John
  • 7,153
  • 22
  • 61
  • 86
49
votes
3 answers

How can I detect if a server is using SNI for HTTPS?

I'm looking for a simple way to know if a server is using the Server Name Indication SSL extension for its HTTPS certificate on a website. A method that uses either a browser or Unix command line is fine. Thanks!
spookylukey
  • 593
  • 1
  • 4
  • 6
36
votes
3 answers

Setting up default SSL site on IIS8

I have setup few websites on IIS8 all using the same wildcard SSL certificate. Some of the sites need to be accessible to older browsers and operating systems, therefore I cannot use the "Require Server Name Indication" option. Since SNI is not…
Emil
  • 461
  • 1
  • 4
  • 6
28
votes
4 answers

What is the difference between SAN and SNI SSL certificates?

Could someone explain me the difference between these certificates in a simplified way? I read some articles but it sounds like they do the same job, namely encrypting many domains with one certificate.
AFA Med
  • 447
  • 1
  • 5
  • 15
25
votes
4 answers

Can a Reverse Proxy use SNI with SSL pass through?

I need to serve several applications over https using one external ip address. The ssl certificates should not be managed on the reverse proxy. They are installed on the application servers. Can a reverse proxy be configured to use SNI and pass ssl…
user319862
  • 757
  • 2
  • 8
  • 18
21
votes
3 answers

"Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]" error

After recently upgrading Apache2 to version 2.2.31 I found a strange behaviour in SSL VirtualHost setup. A few of the website I'm hosting were showing the certificate for the default host even if the client was Server Name Identification aware, and…
usr-local-ΕΨΗΕΛΩΝ
  • 2,339
  • 7
  • 33
  • 50
21
votes
6 answers

Redirect to SSL only if browser supports SNI

I have Apache 2.2 with mod_ssl and a bunch of sites in HTTPS on the same IP/port with VirtualHosting, so client must support SNI to connect to those virtual hosts. I would like to configure my server the following way: When a user types…
usr-local-ΕΨΗΕΛΩΝ
  • 2,339
  • 7
  • 33
  • 50
13
votes
2 answers

Using SNI on Windows Server 2012 R2 not working

I am trying to get both my sites running with their seperate certificates on a Windows Server 2012 R2. Should this not be possible? On the last added site www.c1get.net I get the certificate from the first site and a warning therefore. Update SSL…
Poul K. Sørensen
  • 191
  • 1
  • 3
  • 14
12
votes
3 answers

SNI and wildcard SSL certificates on the same server with IIS

I'd like to host a website that should listen to subdomains (e.g. sub.domain.com) together with multiple websites that live just under a second-level domain (e.g. domain2.com, domain3.com) with IIS and with SSL. For the website with the subdomains I…
Piedone
  • 384
  • 1
  • 6
  • 18
12
votes
1 answer

How to define which SSL certificate nginx sends first with SNI?

I use nginx 1.2.7 with OpenSSL 0.9.8o on Debian Squeeze for about 30 domains. On two of them I enabled SSL which works fine on both. The SSL config is use for both domains: listen 443 ssl; ssl_certificate…
cider
  • 129
  • 1
  • 3
11
votes
3 answers

Does SNI represent a privacy concern for my website visitors?

Firstly, I'm sorry for my bad English. I'm still learning it. Here it goes: When I host a single website per IP address, I can use "pure" SSL (without SNI), and the key exchange occurs before the user even tells me the hostname and path that he…
pagliuca
  • 243
  • 2
  • 10
10
votes
2 answers

How do I setup multiple subdomains with their own certificate using nginx?

Unless every answer that I've read was plain wrong, SNI should make it possible to do what I want, yet every guide tells me to do exactly what I'm doing. And yet nginx is serving the wrong certificate so I'm clearly doing something wrong. ❯ sudo…
Wayne Werner
  • 709
  • 4
  • 14
  • 26
10
votes
2 answers

using nginx with SNI

By now I've not used SNI with nginx yet. But as IP address pools are quite filled and commercial XP support is about to cease (finally) I'm thinking about converting a few sites to SNI. I'm aware of the general limitations and pitfalls that might…
justlovingIT
  • 475
  • 3
  • 11
10
votes
2 answers

Why does apache httpd tell me that my name-based virtualhosts only works with SNI enabled browers (RFC 4366)

Why does apache give me this error message in my logs? Is it a false positive? [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) I have recently upgraded from Centos 5.7 to 6.3, and…
Arlukin
  • 1,203
  • 6
  • 18
  • 27
9
votes
2 answers

Can a hardware load-balancer route SSL traffic with SNI?

We've got a webserver farm currently hosting 2 applications - both applications are running on all servers. We want to split this so we have a dedicated server farm for each app (we have good reasons for this). We'd hoped to have a single…
potomato
  • 101
  • 4
1
2 3
11 12