Questions tagged [sni]

Server Name Indication(SNI) is an extension of Transport Layer Security which allows multiple secure web sites, with separate certificates, to be hosted at the same IP address

Server Name Indication addresses a common issue where websites with an SSL certificate had to live on separate IPs. This exacerbated the IPv4 shortage, as well as defeated the purpose of virtual hosting, where multiple non-secured sites could share the same IP (note that websites sharing a common certificate can always share an IP).

SNI is based on IETF RFC 4366, which, as part of Transport Layer Security(TLS), allowed the hostname to be sent in the initial stages of the TLS handshake. This allowed websites with different certificates to be hosted on the same IP.

SNI is supported by all major browsers and all major web servers. It requires OpenSSL 0.9.8f or later

Browser Support

Mozilla Firefox 2.0 or later
Opera 8.0 or later (with TLS 1.1 enabled)
Internet Explorer 7.0 or later (on Vista, not XP)
Google Chrome
Safari 3.2.1 on Mac OS X 10.5.6

Server Support

Apache v2.2.12 or later
Nginx 0.5.32 or later
IIS 8.0 or later

191 questions

110

votes

5 answers

Multiple SSL domains on the same IP address and same port?

This is a Canonical Question about Hosting multiple SSL websites on the same IP. I was under the impression that each SSL Certificate required it's own unique IP Address/Port combination. But the answer to a previous question I posted is at odds…

asked Feb 04 '10 at 22:36

John

7,343
23
63
87

votes

3 answers

How can I detect if a server is using SNI for HTTPS?

I'm looking for a simple way to know if a server is using the Server Name Indication SSL extension for its HTTPS certificate on a website. A method that uses either a browser or Unix command line is fine. Thanks!

ssl https sni

asked May 08 '13 at 21:04

spookylukey

votes

3 answers

Setting up default SSL site on IIS8

I have setup few websites on IIS8 all using the same wildcard SSL certificate. Some of the sites need to be accessible to older browsers and operating systems, therefore I cannot use the "Require Server Name Indication" option. Since SNI is not…

ssl sni iis-8

asked Jan 09 '13 at 21:43

Emil

votes

4 answers

What is the difference between SAN and SNI SSL certificates?

Could someone explain me the difference between these certificates in a simplified way? I read some articles but it sounds like they do the same job, namely encrypting many domains with one certificate.

ssl sni subject-alternative-names

asked Oct 09 '16 at 09:46

AFA Med

votes

4 answers

Can a Reverse Proxy use SNI with SSL pass through?

I need to serve several applications over https using one external ip address. The ssl certificates should not be managed on the reverse proxy. They are installed on the application servers. Can a reverse proxy be configured to use SNI and pass ssl…

reverse-proxy https sni

asked Aug 31 '14 at 23:10

user319862

votes

3 answers

"Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]" error

After recently upgrading Apache2 to version 2.2.31 I found a strange behaviour in SSL VirtualHost setup. A few of the website I'm hosting were showing the certificate for the default host even if the client was Server Name Identification aware, and…

apache-2.2 ssl virtualhost sni

asked Dec 26 '12 at 00:43

usr-local-ΕΨΗΕΛΩΝ

2,359
7
34
52

votes

6 answers

Redirect to SSL only if browser supports SNI

I have Apache 2.2 with mod_ssl and a bunch of sites in HTTPS on the same IP/port with VirtualHosting, so client must support SNI to connect to those virtual hosts. I would like to configure my server the following way: When a user types…

apache-2.2 ssl virtualhost sni

asked May 16 '12 at 20:34

usr-local-ΕΨΗΕΛΩΝ

2,359
7
34
52

votes

2 answers

Using SNI on Windows Server 2012 R2 not working

I am trying to get both my sites running with their seperate certificates on a Windows Server 2012 R2. Should this not be possible? On the last added site www.c1get.net I get the certificate from the first site and a warning therefore. Update SSL…

iis windows-server-2012-r2 sni

asked Mar 01 '14 at 22:03

Poul K. Sørensen

votes

3 answers

SNI and wildcard SSL certificates on the same server with IIS

I'd like to host a website that should listen to subdomains (e.g. sub.domain.com) together with multiple websites that live just under a second-level domain (e.g. domain2.com, domain3.com) with IIS and with SSL. For the website with the subdomains I…

iis ssl azure ssl-certificate sni

asked Mar 01 '14 at 00:17

Piedone

votes

1 answer

How to define which SSL certificate nginx sends first with SNI?

I use nginx 1.2.7 with OpenSSL 0.9.8o on Debian Squeeze for about 30 domains. On two of them I enabled SSL which works fine on both. The SSL config is use for both domains: listen 443 ssl; ssl_certificate…

nginx ssl sni

asked Mar 16 '13 at 13:23

cider

votes

3 answers

Does SNI represent a privacy concern for my website visitors?

Firstly, I'm sorry for my bad English. I'm still learning it. Here it goes: When I host a single website per IP address, I can use "pure" SSL (without SNI), and the key exchange occurs before the user even tells me the hostname and path that he…

ssl https privacy sni

asked Oct 19 '12 at 19:56

pagliuca

votes

2 answers

How do I setup multiple subdomains with their own certificate using nginx?

Unless every answer that I've read was plain wrong, SNI should make it possible to do what I want, yet every guide tells me to do exactly what I'm doing. And yet nginx is serving the wrong certificate so I'm clearly doing something wrong. ❯ sudo…

nginx ssl sni

asked Oct 11 '17 at 21:30

Wayne Werner

votes

2 answers

HAProxy with SNI and different SSL Settings

I have HAProxy for my two sites, one of them public and one private. www.mysite.com private.mysite.com Atm, I'm using haproxy like this: frontend mysite_https bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3 mode…

ssl haproxy sni

asked Jan 27 '15 at 11:51

mohrphium

votes

2 answers

using nginx with SNI

By now I've not used SNI with nginx yet. But as IP address pools are quite filled and commercial XP support is about to cease (finally) I'm thinking about converting a few sites to SNI. I'm aware of the general limitations and pitfalls that might…

nginx ssl sni

asked Apr 11 '14 at 12:22

justlovingIT

votes

2 answers

Why does apache httpd tell me that my name-based virtualhosts only works with SNI enabled browers (RFC 4366)

Why does apache give me this error message in my logs? Is it a false positive? [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) I have recently upgraded from Centos 5.7 to 6.3, and…

httpd ssl-certificate sni

asked Oct 03 '12 at 20:58

Arlukin

1,203
6
18
27

2 3

…

12 13 Next