Articles in Root

Share Via Email

What is SNI (Server Name Indication)?

Solution

Server Name Indication

Server Name Indication (SNI) is an extension to the TLS protocol.  It allows a client or browser to indicate which hostname it is trying to connect to at the start of the TLS handshake. This allows the server to present multiple certificates on the same IP address and port number.

Before, for every SSL website you hosted, you needed a separate IP address on your server as port 443 (https) could not be shared.  If you attempted this on certain servers (such as IIS for example), one or both of your websites would not function.

With SNI enabled, you can cut down on the number of IP addresses, both internal and external, that are used to serve encrypted pages using https.

Limitations

The web browser that you use must support SNI. If a browser does not support SNI, then it is a good idea to set a default certificate on your server where SNI is configured, so that it can serve up a default certificate that non-SNI compliant browsers can see.

SNI Support (Browsers and Tools)

  • Android Phones Default Browser - starting with 4.x (Ice Cream Sandwich)
  • Android Tablet Default Browser - starting with 3.x (Honeycomb)
  • BlackBerry 10 Web Browser
  • Google Chrome - starting with version 6.0
  • Internet Explorer - starting with version 7 (SNI is NOT supported on Windows XP)
  • Konqueror/KDE - starting with version 4.7
  • Mozilla Firefox - starting with version 2.0
  • OpenSSL - starting with version 0.9.8f
  • Opera - starting with 8.0 (TLS 1.1 must be enabled)
  • Safari

SNI Support (Servers)

  • Apache - starting with version 2.2.12
  • Apache Tomcat - starting with version 9
  • IBM HTTP Server - starting with version 9.0.0
  • Jetty - starting with version 9.3.0
  • Microsoft Internet Information Services (IIS) - starting with IIS 8
  • ngix - starting with version 0.5.23

Libraries

  • Erlang - starting with version r17
  • Java - starting with version 1.7
  • Perl - starting with version 1.56
  • PHP - starting with version 5.6
  • Python - starting with version 2.7.9rc1 or 3.2alpha4
  • QT - starting with version 4.8
  • Ruby - starting with version 2.0

Non-SNI Supportive

The following does not support SNI:
  • BlackBerry OS (Java based version)
  • Mozilla NSS
  • Windows XP

 

Legal


DigiCert is the world’s premier provider of high-assurance digital certificates—providing trusted SSL, private and managed PKI deployments, and device certificates for the emerging IoT market. Since our founding almost fifteen years ago, we’ve been driven by the idea of finding a better way. A better way to provide authentication on the internet. A better way to tailor solutions to our customer’s needs.

© 2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.