Questions tagged [sni]

Server Name Indication(SNI) is an extension of Transport Layer Security which allows multiple secure web sites, with separate certificates, to be hosted at the same IP address

Server Name Indication addresses a common issue where websites with an SSL certificate had to live on separate IPs. This exacerbated the IPv4 shortage, as well as defeated the purpose of virtual hosting, where multiple non-secured sites could share the same IP (note that websites sharing a common certificate can always share an IP).

SNI is based on IETF RFC 4366, which, as part of Transport Layer Security(TLS), allowed the hostname to be sent in the initial stages of the TLS handshake. This allowed websites with different certificates to be hosted on the same IP.

SNI is supported by all major browsers and all major web servers. It requires OpenSSL 0.9.8f or later

Browser Support

Mozilla Firefox 2.0 or later
Opera 8.0 or later (with TLS 1.1 enabled)
Internet Explorer 7.0 or later (on Vista, not XP)
Google Chrome
Safari 3.2.1 on Mac OS X 10.5.6

Server Support

Apache v2.2.12 or later
Nginx 0.5.32 or later
IIS 8.0 or later

191 questions

votes

1 answer

Is it possible to get a wildcard cert and use SNI?

I'd like to make setting up new subdomains easy (at least for the development side) and getting one wildcard cert, setting up a wildcard dns (which is done and works great) and setting up SNI (Server Name Indication) seems like it would work for our…

apache-2.2 https sni

asked Jan 26 '11 at 00:33

Sheldon McGee

votes

2 answers

Scalable way to install SSL certificates without downtime

We have a SaaS application that allows customers to use their own domain – pretty typical. At its core, the architecture has a simple catch-all virtual host (apache) and the software does the work of resolving which customer it is based on the…

ssl apache-2.4 load-balancing sni

asked Jun 14 '16 at 13:32

jpschroeder

votes

1 answer

Does NGINX support SNI or does it not?

EDIT New question: Can NGINX inspect the TLS request to look for SNI like HAProxy (etc) does? According to what I've read around (and I've been told), NGINX should not support SNI and I should go for HAProxy for an SSL-transparent reverse proxy.…

nginx reverse-proxy https haproxy sni

asked May 21 '16 at 16:56

Morpheu5

votes

1 answer

Use postfix through a proxy. How should it be configured?

Postfix by default uses ports 25, 465 and 587. In my configuration, I enabled TLS encryption using the option smtpd_use_tls=yes in postfix's main.cf. This makes all smtp communications encrypted as far as I understand. Since postfix takes only 1…

nginx email postfix encryption sni

asked May 05 '16 at 23:01

The Quantum Physicist

votes

2 answers

Cannot disable SNI on Windows Server 2012

I have two different 'families' of related sites, each with their own UCC certificate on the same server. I'm hosting them on the same IIS server, using one IP address for each family. Both UCC certficates are from GoDaddy. Every one of the bindings…

iis sni ucc

asked Apr 15 '15 at 20:46

Simon

1,361
2
15
20

votes

1 answer

How to serve multiple SSL certificates for the default virtual host on NGINX?

I have a static app on Amazon S3 that is served through a NGINX proxy. The purpose I use a proxy is to allow users to point their domains to my Amazon EC2 instance (via CNAME record pointing to custom-domain.myproduct.com) so they can access my app…

nginx ssl sni

asked Feb 20 '15 at 13:12

Renato Gama

votes

1 answer

Can TLSv1 / SNI be blocked by the network? (routers, firewalls, etc)

Our web site serves static content through a content delivery network (AWS CloudFront) which is configured to respond to a number of CNAMEs and use our SSL wildcard certificate for these hostnames. Since the CDN may serve many different virtual…

https tls amazon-cloudfront sni

asked Nov 03 '14 at 13:58

Anders Kaare

votes

0 answers

Apache mod_proxy with HTTPS without key material (using SNI)

I would like to have an Apache 2.4 proxy which redirects port 80 and 443 requests to different machines in the local network, depending on the host name. I used mod_proxy and it works fine with port 80. Now I am trying to do a HTTPS->HTTPS redirect.…

apache-2.2 ssl proxy virtualhost sni

asked Jul 23 '14 at 11:25

Daniel Marschall

votes

1 answer

Separate SSL certificate selection from virtual host configuration in apache

Currently, my apache configuration includes one SSL certificate (with all domains listed as Alternative Subject Names). I furthermore have one virtual host configuration per domain that serves both SSL and non-SSL requests. All this happens on one…

apache-2.2 ssl virtualhost sni

asked Jan 07 '13 at 21:50

Joachim Breitner

3,779
3
18
21

votes

1 answer

Resolve a many-SSL-to-one IP for clients browsers that doesn't support SNI

Whoa, acronyms :) So according to this question you can have multiple SSL subdomains on one IP address as long as your server supports TLS (which Apache 2.2x does). Another answer to that question points out that the client browser must have SNI…

linux apache-2.2 ssl tls sni

asked Mar 08 '11 at 22:53

Kyle Cureau

1,537
3
11
15

votes

1 answer

Nginx and https - Specifying an ip address as a server_name gives the correct website but the wrong certificate

I want to run this url: https://192.168.1.254 and get a website with the correct content and certificate in the address bar. I am getting the website but I get an invalid certificate error in the address bar because the cert is taken from a…

nginx ssl https sni

asked Dec 23 '20 at 22:48

FlexMcMurphy

votes

1 answer

AWS ALB/NLB HTTPS Target with Self-Signed Cert

I am using AWS to build a service. For this service I want to use ACM certificates. The backend is running on an EC2 instance with TLS enabled using a self-signed certificate. Since ACM certificates can't be exported I want to put a load balancer in…

amazon-web-services ssl load-balancing sni amazon-alb

asked Jun 03 '20 at 17:34

TenPlusFive

votes

1 answer

Run 2 SSL servers on 1 debian Pi, both FQDNs,1 Nginx 1 apache, wrong certificate, is this SNI issue?

I'm forced to use Nginx on a.ddns.net and Apache for b.ddns.net (reverse proxy solution too tricky due to established setups). Real server names edited but both verified as resolving to same IP and SSL certs verified with OpenSSL. Existing setups…

nginx ssl apache-2.4 dnsmasq sni

asked Oct 21 '19 at 13:51

awsbarker

votes

1 answer

Ideal Setup of Apache for multiple SSL certs with SNI on a single IP

I'm looking for the most efficient way to achieve this setup on Apache 2.4.33 in the Amazon Linux Distro: a single server instance (here: AWS EC2) a single associated IP two (or more) domains, each with their own SSL certificate one default SSL…

ssl apache-2.4 openssl sni

asked Jul 27 '18 at 11:50

bobsoap

votes

1 answer

Cloudfront alternate domains using SNI for HTTPS

I am attempting to use Cloudfront to serve an S3 bucket over HTTPS using an "Alternate Domain Name", but I am getting this error when I load the site in a browser: NET::ERR_CERT_COMMON_NAME_INVALID This server could not prove that it is…

amazon-web-services amazon-cloudfront sni

asked Feb 01 '18 at 16:00

twiz

Prev 1 2 3

…

12 13 Next