Questions tagged [sni]

Server Name Indication(SNI) is an extension of Transport Layer Security which allows multiple secure web sites, with separate certificates, to be hosted at the same IP address

Server Name Indication addresses a common issue where websites with an SSL certificate had to live on separate IPs. This exacerbated the IPv4 shortage, as well as defeated the purpose of virtual hosting, where multiple non-secured sites could share the same IP (note that websites sharing a common certificate can always share an IP).

SNI is based on IETF RFC 4366, which, as part of Transport Layer Security(TLS), allowed the hostname to be sent in the initial stages of the TLS handshake. This allowed websites with different certificates to be hosted on the same IP.

SNI is supported by all major browsers and all major web servers. It requires OpenSSL 0.9.8f or later

Browser Support

Mozilla Firefox 2.0 or later
Opera 8.0 or later (with TLS 1.1 enabled)
Internet Explorer 7.0 or later (on Vista, not XP)
Google Chrome
Safari 3.2.1 on Mac OS X 10.5.6

Server Support

Apache v2.2.12 or later
Nginx 0.5.32 or later
IIS 8.0 or later

191 questions

votes

2 answers

Can a hardware load-balancer route SSL traffic with SNI?

We've got a webserver farm currently hosting 2 applications - both applications are running on all servers. We want to split this so we have a dedicated server farm for each app (we have good reasons for this). We'd hoped to have a single…

ssl load-balancing sni

asked Aug 23 '16 at 08:16

potomato

votes

1 answer

SNI for a SMTP server

Let's say I have a dedicated server with some IP (IP1). I'm redirecting multiple domains (say example.com, example.net) to that IP via DNS. I've a single nginx server running here, and I've set up SNI correctly here and it works for HTTPS. I've also…

ssl smtp sni

asked May 15 '19 at 14:09

xryl669

votes

1 answer

IIS 8 - Default SSL Site Breaks SNI

We have the following scenario in testing SNI on Windows Server 2012 R2 with IIS 8. Domain names and IP addresses listed below are fake and for example only. WEB SITE NAME IP ADDRESS Host Name/Header (SNI) Certificate…

ssl-certificate windows-server-2012-r2 iis-8 sni

asked Mar 07 '16 at 22:29

Beems

votes

3 answers

Upgrade HTTP connection to SSL/TLS

I currently have a server which automatically redirects all HTTP requests to the equivalent HTTPS site. The problem is that is seems like some browsers do not accept the SSL certificate (StartSSL.com) or does not support SNI, therefore they get an…

apache-2.2 ssl http apache-2.4 sni

asked Mar 29 '14 at 11:23

foxylion

votes

2 answers

Have Nginx reject unknown server names over HTTPS

I have an Nginx instance using SNI to serve multiple HTTPS domains from a single IP. The only glitch with the setup is that Nginx responds with the first (acting as default) domain whenever a URL for the bare IP of the server, or a domain listed at…

nginx https sni

asked Jan 21 '11 at 14:55

Carlton Gibson

votes

3 answers

No need to enable SNI for multiple SSL sites on same IP but using same wild card certificate?

I have an IIS server hosting: example.com/www.example.com sub1.example.com sub2.example.com They are listed as 3 separate sites under IIS, all bind to the same IP over HTTPS on 443. But they all use the same SSL certificate which is a wild card…

ssl iis https sni

asked Apr 29 '18 at 20:45

thankyoussd

votes

2 answers

Enabling OCSP stapling on IIS SNI-enabled site

If Require Server Name Indication is checked on the binding of an IIS site, OCSP stapling is disabled for the site. This is easily confirmed by enabling SNI for a site that currently doesn't require it, and checking using…

iis sni ocsp

asked Sep 02 '16 at 22:39

franzo

votes

2 answers

How to stop HTTPS requests for non-ssl-enabled virtual hosts from going to the first ssl-enabled virtualhost (Apache-SNI)

I hope that title is clear. How do I prevent HTTPS requests for non-ssl-enabled virtual hosts from going to the first ssl-enabled virtualhost (setup is Apache-SNI). For example, using my abbreviated config below, requests for https://example.com (a…

apache-2.2 ssl virtualhost sni

asked Aug 14 '13 at 16:57

Jeff

1,416
3
28
50

votes

4 answers

Apache SNI namevhosts always route to first VirtualHost entry

Apache seems to route all https requests to the first regardless of SNI matching on ServerName/ServerAlias fields. Apache is built with SNI Server version: Apache/2.2.22 (Ubuntu) Server built: Mar 8 2013 15:53:13 OpenSSL 1.0.1…

apache-2.2 sni namevirtualhost

asked May 23 '13 at 07:13

arcyqwerty

votes

3 answers

What percentage of web users are running on browsers/OSes that support SNI?

Has anyone done any analysis (or know where I can find some!) on what proportion of internet users are using a browser/operating system combination that support SNI (Server Name Indication) SSL/TLS certificates? I know for example that IE on XP…

ssl https tls sni

asked May 17 '11 at 11:18

Paul Russell

votes

1 answer

Is it possible to disable clients not supporting SNI in nginx?

By default nginx serves https requests with multiple certificates by using SNI. The fallback for clients not supporting SNI will be the default_server or first vhost which has been configured. I want nginx to not serve clients which don't support…

nginx sni

asked May 11 '18 at 23:43

Matthias

votes

1 answer

HTTP status code to signal bad or missing Host header

Is there an HTTP status code which is appropriate to use for clients which send a bad hostname (or none at all) through SNI or the HTTP Host header? An older question address how and why such requests happen in the first place as well as how you can…

https http http-headers sni http-status-code

asked Jan 27 '18 at 19:29

kasperd

30,455
17
76
124

votes

1 answer

Apache Remote proxy for a reverse proxy SNI mismatch

Having an issue with our setup of an Apache-2.2 and a reverse proxy which is proxied to via another device. flow is: Apache A -> proxy.abc.net -> Apache B The error we get on Apache B is Hostname proxy.abc.net provided via SNI and hostname…

apache-2.2 reverse-proxy mod-proxy proxypass sni

asked Aug 10 '16 at 16:29

greyhathero

votes

4 answers

What happens when a browser does not support SNI

A seemingly simple question, but valid nonetheless. What exactly happens when a browser which does not support SNI attempts to visit a site configured to force SSL via SNI. Thanks

windows-xp internet-explorer sni

asked Jul 04 '13 at 12:24

PUncle

votes

3 answers

Jenkins reports reverse proxy setup incorrect with Apache using virtual hosts with SNI

I'm setting up a Jenkins server, to run under Tomcat behind Apache. I'm using virtual hosts with SSL using SNI so I can access it at https://jenkins.example.com, and serve something else on, say, http://www.example.com. I've got it up and running,…

apache-2.2 virtualhost jenkins sni

asked Jan 17 '12 at 20:08

Lorin Hochstein

5,028
15
56
72

Prev 1

…

12 13 Next