Questions tagged [sni]

Server Name Indication(SNI) is an extension of Transport Layer Security which allows multiple secure web sites, with separate certificates, to be hosted at the same IP address

Server Name Indication addresses a common issue where websites with an SSL certificate had to live on separate IPs. This exacerbated the IPv4 shortage, as well as defeated the purpose of virtual hosting, where multiple non-secured sites could share the same IP (note that websites sharing a common certificate can always share an IP).

SNI is based on IETF RFC 4366, which, as part of Transport Layer Security(TLS), allowed the hostname to be sent in the initial stages of the TLS handshake. This allowed websites with different certificates to be hosted on the same IP.

SNI is supported by all major browsers and all major web servers. It requires OpenSSL 0.9.8f or later

Browser Support

Mozilla Firefox 2.0 or later
Opera 8.0 or later (with TLS 1.1 enabled)
Internet Explorer 7.0 or later (on Vista, not XP)
Google Chrome
Safari 3.2.1 on Mac OS X 10.5.6

Server Support

Apache v2.2.12 or later
Nginx 0.5.32 or later
IIS 8.0 or later

191 questions

votes

2 answers

Disabling SNI for specific virtualhost on Apache

We have a web server with a couple of internet IPs. I have successfully set up SNI name based virtualhosts, it's working great. What I'd like to do though is have our main site NOT use SNI and use one of the unique IP addresses alone so that our…

apache-2.2 ssl sni

asked Sep 08 '15 at 15:05

John Hunt

votes

0 answers

Do modern web browsers always send the web server's hostname in the SNI extension header?

When a web browser that supports Server Name Indication (SNI) connects to an HTTPS site, does it ALWAYS send the hostname in the SNI field? That is, there is no way for a web browser to know if the HTTPS site it is connecting to is the only HTTPS…

proxy https sni

asked Mar 05 '15 at 09:42

Phillip Stewart

votes

1 answer

How to get HAProxy to route TCP based on SNI (using openssl s_client to test)?

I want to use HAProxy to terminate TLS-encrypted TCP connnections and to pass the unencrypted TCP traffic to various backends based on the Server Name Indication used to initiate the TLS connection. I have 3 services running on a backend server,…

ssl haproxy openssl sni

asked Dec 13 '19 at 14:44

John

votes

1 answer

How to check haproxy sni-based rule with curl?

I made simple HaProxy configuration to pass thorough traffic based on SNI field. Here is my haproxy.cfg defaults log global timeout client 50s timeout client-fin 50s timeout connect 5s timeout server 10s timeout tunnel…

ssl haproxy curl sni

asked Dec 25 '17 at 23:38

Kirill

votes

1 answer

How to check apache for SNI (Server Name Indication ) availability?

I have a centos 7 server. I switched from apache 2.4.6 to apache 2.4.25 using IUS repository (https://ius.io/). My goal is to support multiple SSL certificates with a single IP. I have installed: Apache/2.4.25…

apache-2.4 ssl-certificate openssl mod-ssl sni

asked May 19 '17 at 07:16

GeorgeKaf

votes

1 answer

Stunnel with SNI: Section name: SNI section name not found

Im trying to use stunnel with 2 domains on the same IP. My conf is this: ;key = /etc/ssl/private/namecheap/server.key # See this link http://www.sysadminworld.com/2011/how-do-i-use-an-intermediate-certificate-with-stunnel/ # The intermediatev.pem…

ssl sni stunnel

asked Oct 22 '16 at 01:52

dasdasd

votes

1 answer

Nginx default SSL Host: Disable completely or...?

I have many SSL Hosts on my server serving via Nginx SNI. However, when I enter the IP address of that server, I will see the first configured virtual host with a certificate warning. Is it possible to completely deactivate a default SSL Host? Any…

nginx ssl sni

asked Mar 23 '16 at 17:18

lockdoc

votes

1 answer

Transparent HTTP/HTTPS domain filtering proxy

I want to set up a transparent HTTP/HTTPS proxy to filter outbound requests based on destination hostname (domain). The proxy itself should be non-intrusive and just forward traffic, not decrypt/modify it. In case of HTTPS it should use the TLS SNI…

proxy https squid filter sni

asked Dec 16 '15 at 16:58

Cybran

votes

4 answers

Upgrading OpenSSL in CentOS 5.3

I want to use one IP to host many domains with individual SSL certificates (requires SNI). In CentOS 5.3, the latest version of OpenSSL I can find an RPM for is 0.9.8e, which does not support SNI. I want to upgrade to 0.9.8k but I can't find an RPM.…

centos ssl yum openssl sni

asked Oct 05 '09 at 10:28

Lin

2,909
7
27
25

votes

1 answer

Nginx: SNI doesn't work for server_name with multiple arguments

With this Nginx config: server { listen 443 ssl; server_name www.x.nl x.nl; ssl_certificate /etc/nginx/ssl/x.nl.crtkeyca; ssl_certificate_key /etc/nginx/ssl/x.nl.crtkeyca; [...] } This works: openssl s_client -servername…

nginx ssl sni

asked Jun 15 '15 at 14:02

Willem

2,872
4
28
35

votes

1 answer

SNI error over SSL on some Android devices

I am getting an SNI error: Hostname X provided via SNI, but no hostname provided in HTTP request On some Android phones when making SSL requests to my domain. This is despite ensuring that the Host header is set on the client. I have also tried…

apache-2.2 ssl https android sni

asked May 08 '14 at 05:48

JordanC

votes

1 answer

Apache2 conditional section based on port

I don't know much about if statements in apache configuration, and I'm wondering if I can have a section of the configuration applied only if the request is received on a certain port. In short, this is about SSL. I have name based virtual hosts, I…

apache-2.2 ssl virtualhost sni conditional

asked Jun 28 '13 at 09:41

Waleed Hamra

votes

1 answer

For enabling SSL for a single domain on a server with muliple vhosts, will this configuration work?

I just purchased an SSL certificate to secure/enable only ONE domain on a server with multiple vhosts. I plan on configuring as shown below (non SNI). In addition, I still want to access phpMyAdmin, securely, via my server's IP address. Will the…

linux apache-2.2 ssl ssl-certificate sni

asked Apr 14 '12 at 21:12

user1322092

votes

2 answers

nginx, multiple domains, ssl support for clients without SNI

I want to support SSL for clients which lack of SNI support (IE/FF/Safari on win XP, Android < 2.2, and others). The solution I picked was to have nginx listen on separate port for each certificate. Question is: Is there other way to solve this, or…

nginx ssl domain sni

asked Jan 28 '12 at 13:06

Tzury Bar Yochay

votes

3 answers

Problems with multiple SSL on same IP, but only in select clients

I know there are tons of posts about multiple SSL on same IP, but I promise I'm not beating a dead horse. My question is very clear. First, a little background... Our organization has several ecommerce sites. All of these sites are running on the…

apache-2.2 ubuntu ssl mod-ssl sni

asked May 25 '11 at 17:53

Calvin Froedge

Prev 1 2

…

12 13 Next