Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [sni]

Server Name Indication(SNI) is an extension of Transport Layer Security which allows multiple secure web sites, with separate certificates, to be hosted at the same IP address

Server Name Indication addresses a common issue where websites with an SSL certificate had to live on separate IPs. This exacerbated the IPv4 shortage, as well as defeated the purpose of virtual hosting, where multiple non-secured sites could share the same IP (note that websites sharing a common certificate can always share an IP).

SNI is based on IETF RFC 4366, which, as part of Transport Layer Security(TLS), allowed the hostname to be sent in the initial stages of the TLS handshake. This allowed websites with different certificates to be hosted on the same IP.

SNI is supported by all major browsers and all major web servers. It requires OpenSSL 0.9.8f or later

Browser Support

  • Mozilla Firefox 2.0 or later
  • Opera 8.0 or later (with TLS 1.1 enabled)
  • Internet Explorer 7.0 or later (on Vista, not XP)
  • Google Chrome
  • Safari 3.2.1 on Mac OS X 10.5.6

Server Support

  • Apache v2.2.12 or later
  • Nginx 0.5.32 or later
  • IIS 8.0 or later
191 questions
0
votes
1 answer

How to fix the TLS Server Name Indication issue under Windows XP on Nginx using a different IP

I have a server that is using two different domains with two different certificates. Everithing work fine except IE8 on Windows XP because the TLS Server Name Indication is not supported there. In order to fix this problem I want buy a dedicated IP…
Marco C
  • 153
  • 9
0
votes
2 answers

Hostname and SSL (apache) issue on Debian

I have been trying to setup SSL virtual host ServerAdmin webmaster@mts.com ServerName moclm.tap.pt SSLEngine on SSLCertificateFile /etc/ssl/moclm.cer SSLCertificateKeyFile /etc/ssl/moclm.pem …
user105566
  • 29
  • 1
  • 5
0
votes
2 answers

Apache with suexec, fcgid shows content from wrong vHost over ssl

I changed my Apache setup to worker mode, suexec und fcgid as described in this tutorial: https://wiki.hetzner.de/index.php/Apache_PHP5_fcgi_und_SuExec. Allmost everything works fine. I wrote a script, that sets up everything for me and also creates…
chris
  • 21
  • 2
0
votes
1 answer

Setup SSL for only a Single website on Linux server with Multiple vhosts

Without configuring apache to support SNI, can I purchase a SSL cert and use on a Centos Linux server that has 2 name-based Vhost? I'm only interested in securing ONE of the two domains. Could this be configured in the httpd config file, such as…
user1322092
  • 233
  • 2
  • 11
0
votes
1 answer

is a wildcard SSL the only option in this multiple VHOST/1IP setup?

I have a web app set up that needs the following SSL encryption: secure.myapp.com -> SSL www.myapp.com/login -> SSL www.myapp.com/signup -> SSL If I'm correct, I could run one SSL certificate for my whole www.myapp.com/* pages. The problem is that…
solsol
  • 1,121
  • 8
  • 21
  • 31
0
votes
0 answers

SNI and TLS errors on apache reverse proxy host when proxying multiple sites from different servers?

I have an apache2 reverse proxy which is proxying many services including zabbix and nextcloud, and applying a wildcard SSL certificate to said services. These are individual virtual hosts, though they all use the same CA-verified wildcard SSL…
surfrock66
  • 163
  • 3
  • 15
0
votes
0 answers

Use custom SNI for Cloudflare

I have an app back-end on a server it has many users in China and it uses websocket, I'm doing some tests to bypass GFW's blockage of SNI, we can connect to Cloudflare Websocket websites in China, but then the whole domain gets blocked after a few…
Steve Moretz
  • 173
  • 1
  • 9
0
votes
0 answers

Configuration of dummy default vhost and prevent virtual host fallback with https requests to IP-PD host

Background Consider 4 hypothetical FQDNs that all resolve to 192.0.2.42: example.com www.example.com foo.example.org legacy.example.net Now, consider two hypothetical servers bound to 192.0.2.42 (obviously, not at the same time... I'm just…
Bitbang3r
  • 145
  • 1
  • 9
0
votes
1 answer

How to get a secure HTTP monitor in NetScaler to send SNI in its request?

We have a content switch in front of a virtual server in NetScaler ADC, and it acts as a load balancer. It is tied to a service group that has an HTTP monitor. We cannot get this monitor to work. The monitor calls an HTTPS endpoint. The endpoint…
Martin Ørding-Thomsen
  • 135
  • 1
  • 2
  • 6
0
votes
1 answer

How to run nginx and ocserv on the same IP:Port using the same domain name?

How to run nginx and ocserv on the same IP:Port using the same domain name? Just like how a similar thing is possible by using SSTP protocol, if I am not mistaken. I am using Ubuntu 20.04.
Masood Lapeh
  • 48
  • 1
  • 5
0
votes
1 answer

IIS 10 2 domains with SSLs on same IP - SNI checked for both but 1 of them still doesnt work

Using fictional domains here instead of the actual ones I have this situation: domain1.com has binding set up in IIS and is linked to SSL and has "Require Server Name Indication" checked. domain2.com has binding in IIS and is linked to it's own SSL…
Paul
  • 113
  • 2
0
votes
2 answers

SSL Certificate not valid on SNI server - Dovecot/Postfix

I've got a Dovecot/Postfix server running on a Raspberry Pi running Raspbian 10 (Buster) I have two domain names running on the same server which for privacy I'll call DOMAIN 1 and DOMAIN 2. Both have e-mail addresses associated with them, and both…
The All Powerful
  • 3
  • 2
0
votes
1 answer

How does a TLS Passthrough reverse proxy based on SNI work?

There are various articles and questions explaining how to use a given reverse proxy's (e.g. nginx) implementation of this [1] [2] [3] [4], but none explain how this actually works under the hood. By "TLS Passthrough based on SNI", I am referring to…
Starfish
  • 11
  • 3
0
votes
1 answer

HAPROXY SNI SSL pass through or termination

I would like to set up HAProxy to terminate SSL or pass through connection depends from hostname, exposing only one public IP address. For example Internet -> domain web1.example.com (10.10.10.1) HAproxy SSL termination -> Backend…
pa bloo
  • 1
  • 1
  • 2
0
votes
0 answers

SNI header missing from TLS Client Hello when using HTTP proxy

I'm debugging a problem with a Java-based application that retrieves a JSON payload (the CVE list from NIST) over HTTPS. When I connect directly to NIST, I retrieve the data successfully. When I use an HTTP proxy, I get a TLS "unrecognized name"…
Gordon Mckeown
  • 101
  • 2
1 2 3
12
13