
Server Name Indication (SNI) is a crucial technology for secure websites.
SNI allows a client, such as a web browser, to indicate the hostname of the server it's trying to connect to.
This is particularly important for secure websites because it enables multiple domains to be hosted on a single IP address.
In fact, most modern websites use shared hosting, where multiple domains are hosted on the same server.
SNI makes this possible by allowing the client to specify the desired hostname, which is then used to select the correct SSL/TLS certificate.
What Is SNI
Server Name Indication, or SNI, is an extension to the TLS protocol that allows a client or browser to indicate which hostname it is trying to connect to at the start of the TLS handshake.
This allows the server to present multiple certificates on the same IP address and port number.
Before SNI, you needed a separate IP address for every SSL website you hosted, because port 443 could not be shared.
If this caught your attention, see: Azure Api Management Whitelist Ip

One of the main problems with this was that if you attempted to share a server on certain servers, such as IIS, one or both of your websites would not function.
With SNI enabled, you can cut down on the number of IP addresses used to serve encrypted pages using https.
If this caught your attention, see: How to Use Google One Vpn
Problem Background
Prior to SNI, making a TLS connection was a straightforward process, but it had a major limitation: the client had no way to specify which site it was trying to connect to.
This meant that if one server hosted multiple sites on a single listener, the server had no way to know which certificate to use in the TLS protocol.
The client would request a digital certificate from the web server, and once the server sent the certificate, the client would examine it and compare the name it was trying to connect to with the name(s) included in the certificate.
Check this out: Aws S3 No Verify Ssl
If a match occurred, the connection would proceed as normal, but if a match was not found, the user may be warned of the discrepancy and the connection may abort as the mismatch may indicate an attempted man-in-the-middle attack.
Some applications allowed the user to bypass the warning to proceed with the connection, with the user taking on the responsibility of trusting the certificate and, by extension, the connection.
A server that is responsible for multiple hostnames is likely to need to present a different certificate for each name (or small group of names), making it hard to obtain a single certificate that covers all names a server will be responsible for.
Assigning a separate IP address for each site increases the cost of hosting, since requests for IP addresses must be justified to the regional Internet registry and IPv4 addresses are now exhausted.
For another approach, see: Golang Certificate Authority
Technical Principles
SNI addresses the issue of multiple domain names on a single IP address by having the client send the virtual domain name in the TLS negotiation's ClientHello message.
Here's an interesting read: Nextcloud Access through Untrusted Domain

This enables the server to select the correct virtual domain early in the process and present the browser with the certificate containing the correct name.
SNI was added to the IETF's Internet RFCs in June 2003 through RFC 3546, Transport Layer Security (TLS) Extensions.
The latest version of the standard is RFC 6066, ensuring that SNI remains a reliable and widely accepted solution for serving multiple domain names on a single IP address.
Explore further: Parking a Domain Name
Limitations
SNI's effectiveness is limited by the need for browser support. If a browser doesn't support SNI, you'll need to set a default certificate on your server.
A server with SNI configured can still serve a default certificate to non-SNI compliant browsers. This is a good idea to ensure all visitors can access your site.
The latest version of the SNI standard is RFC 6066, which was published in June 2009.
Consider reading: Does Azure Dns Support Dnssec
Scenarios
In a multi-tenanted environment, SNI is designed to scale. This means you can configure thousands of secure sites without worrying about performance issues.

One of the key benefits of SNI in Windows Server 2012 is that certificates are loaded in memory on-demand. This is a significant improvement over previous versions of Windows Server, where loading hundreds of secure sites would cause the server to consume a lot of memory.
To see just how negligible the memory usage is, try sending a GET request to one of the secure sites after configuring thousands of secure sites using SNI. You'll see that the memory usage remains low.
SNI is also designed to co-exist with traditional secure sites, so you can configure both in Windows Server 2012. This flexibility makes it easy to transition to SNI without disrupting your existing infrastructure.
Suggestion: Can You See Internet History on Wifi
Security Implications
Server Name Indication poses a security risk because the payload is not encrypted, making the hostname of the server visible to a passive eavesdropper.
This weakness has been exploited by security software for network filtering and monitoring, as well as by governments to implement censorship.
In recent years, multiple technologies have emerged to hide Server Name Indication, such as Cloudflare, which started supporting ECH for hosted domains in September 2023.
Solution and Instructions
Windows Server 2012 supports Server Name Indication (SNI), a TLS extension that allows a virtual domain name to be used to identify a network endpoint.
This means you can host multiple secure sites with just one IP address, increasing the secure site density on your server.
Most modern browsers support SNI, but Internet Explorer on Windows XP does not.
Implementation
In 2004, a patch for adding TLS/SNI into OpenSSL was created by the EdelKey project.
This patch was later ported to the development branch of OpenSSL in 2006.
The first web browsers with SNI support appeared in 2006, with Mozilla Firefox 2.0 and Internet Explorer 7 being among the first.
Web servers were slower to implement SNI, with Apache HTTP Server introducing support in 2009 and Microsoft IIS in 2012.
For an application program to implement SNI, the TLS library it uses must implement it and the application must pass the hostname to the TLS library.
Some browsers implement SNI on any operating system, while others do so only on certain operating systems.
Broaden your view: Wireless Application Protocol
Making HTTPS Cheaper

Making HTTPS cheaper is a game-changer for web hosts and content delivery networks. Without SNI, a single IP address can only host one hostname over HTTPS, making it expensive to reserve IP addresses for single domains.
This is especially true given that IPv4 addresses are running out. IP addresses are a limited resource, and reserving them for individual domains can be costly.
By requiring clients to support SNI, secure websites can be hosted more efficiently, greatly reducing costs for web hosts and content delivery networks.
For another approach, see: Adult Content Website Hosting
Solution
Windows Server 2012 supports Server Name Indication (SNI), a TLS extension that includes a virtual domain as part of SSL negotiation.
This means that a virtual domain name or hostname can be used to identify the network endpoint, allowing for a higher secure site density with just one IP address.
SNI is supported by most modern browsers, but not by Internet Explorer on Windows XP.
To use this feature, your client browsers must support SNI, so make sure to check your browser's compatibility.
A highly scalable WebHosting store has been created to complement SNI, making it easier to manage secure sites.
Consider reading: Virtual Hosting
Featured Images: pexels.com


