What is SNI (Server Name Indication)?
What is SNI?
SNI (Server Name Indication) is an extension to the TLS protocol, that provides the ability to host multiple HTTPS-enabled sites on a single IP.
How does it work?
Prior to SNI the client (i.e browser) would send the requested hostname to the webserver within the HTTPS payload (Figure 1). Due to the hostheader being encrypted the SSL handshake and certificate retrieval had to be completed before it could be read. As a a result, websites hosted on the same IP address were forced to use the same SSL certificate, or they needed to each have their own IP address.
Figure 1 - TLS Handshake without SNI.
SNI allows the client to include the requested hostname in the first message (CLIENT_HELLO) of the SSL handshake (Figure 2). The webserver can then use this hostname to present the correct certificate the client. This, in turn allows multiple certificates to be hosted onto a single IP address.
Figure 2 - TLS Handshake with SNI
How is this different to SAN?
Unlike SNI, a TLS extension, SAN (Subject Alternative Name) is a property of the X509 certification specification. The Subject Alternative Name field lets you specify alternative names that are also valid for the subject (in addition to Common Name that lets you specify a single hostname).
NOTE Subject Alternative Name and wildcard names are the 2 main ways of using a single certificate for multiple hostnames.