Questions tagged [sni]

Server Name Indication(SNI) is an extension of Transport Layer Security which allows multiple secure web sites, with separate certificates, to be hosted at the same IP address

Server Name Indication addresses a common issue where websites with an SSL certificate had to live on separate IPs. This exacerbated the IPv4 shortage, as well as defeated the purpose of virtual hosting, where multiple non-secured sites could share the same IP (note that websites sharing a common certificate can always share an IP).

SNI is based on IETF RFC 4366, which, as part of Transport Layer Security(TLS), allowed the hostname to be sent in the initial stages of the TLS handshake. This allowed websites with different certificates to be hosted on the same IP.

SNI is supported by all major browsers and all major web servers. It requires OpenSSL 0.9.8f or later

Browser Support

Mozilla Firefox 2.0 or later
Opera 8.0 or later (with TLS 1.1 enabled)
Internet Explorer 7.0 or later (on Vista, not XP)
Google Chrome
Safari 3.2.1 on Mac OS X 10.5.6

Server Support

Apache v2.2.12 or later
Nginx 0.5.32 or later
IIS 8.0 or later

191 questions

vote

1 answer

apache always serves first named vhost regardless of SNI setting

Apache is always serving the first named vhost regardless of SNI setting. I'm unsure what is causing this. I no longer get the message Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) but I…

asked Sep 14 '14 at 23:04

OverworkedTechydude

vote

1 answer

How to use SSL Name Based Vhosts without SNI

I need to host a handful of web applications over SSL using name based virtual hosting. Apache documentation indicates this is possible (https://wiki.apache.org/httpd/NameBasedSSLVHosts) if all sites are covered by the SSL certificate. Is there a…

apache-2.2 ssl ssl-certificate virtualhost sni

asked May 02 '14 at 03:11

user319862

vote

2 answers

Apache SNI, 2 domains, 2 certs, resolves to same document root

I am currently following the following guide: https://www.digitalocean.com/community/articles/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04 Setup so far has been problem free. I am using two class 1 certificates that…

ssl apache-2.4 sni

asked May 01 '14 at 20:38

csvan

vote

2 answers

Correct configuration for SSL over 3 domains on same IP in nginx

I have been working on this for several hours now, to no fruition. Right now I have three domains, for example domain1.com, domain2.org, and domain3.net. These domains are all using the same IP address. domain1 and domain2 each have an individual…

nginx ssl domain sni

asked Feb 28 '14 at 21:23

Aethereal

vote

1 answer

nginx and SNI: is it possible to automatically resolve SSL certificate by domain name

I need to setup a server that will server same content over SSL using different domain names. The problem is that I need an ability to add new domain names as easily as possible. Assuming that all domain names are already configured to my server I…

nginx ssl https sni

asked Feb 11 '14 at 14:12

Ashald

vote

1 answer

stunnel client uses improper SNI when talking to Apache

I have stunnel listening on port 80 and acting as a client connecting to Apache listening on port 443. Configuration is below. What I'm finding is that if I attempt to connect to localhost:80 the connection is fine but if I connect to…

stunnel sni

asked Oct 27 '13 at 06:15

Huckle

vote

1 answer

Understand ssl setup

Goals: If the user support SNI and hit myurl1.server.com (https) or myurl2.server.com (https) it will match the right vhost. (the last 2 vhosts) If the user does not support SNI and hit myurl1.server.com (https) or myurl2.server.com (https) it will…

apache-2.2 ssl sni

asked Feb 14 '13 at 20:47

chitech

vote

1 answer

HTTPS vhost multiplexing with upstream client certificate auth with nginx

Let's say I have two Apache servers (one per vhost) behind an nginx server. The problem is that I'd like Apache to do the authentication of client certificates. Would it be possible for nginx to do the SNI part of SSL (so it knows to which Apache…

nginx ssl https sni

asked Feb 11 '12 at 09:53

Vladimir Panteleev

1,737
5
20
34

vote

1 answer

Set default TLS SNI vhost for Apache 2.2 on CentOS 6

I have a CentOS 6 server with Apache (httpd-2.2.15-15.el6.centos.x86_64). Now I configured TLS SNI using OpenSSL and that was pretty easy. Now I have two TLS vhosts on the same ip and I want to specify which one should be the default it the client…

apache-2.2 centos tls sni

asked Jan 15 '12 at 10:32

Felix Schwarz

vote

1 answer

Why is Firefox on XP reporting "Connection is Untrusted"

To those of you familiar with the RFC 4366 TLS "Server Name Indication" (SNI) extension, which allows multiple SSL certificates on the same IP address, here’s the scenario: URL: http://puny.it/serverfault02 (Redirects to the actual HTTPS URL.) As…

ssl-certificate https firefox tls sni

asked Oct 03 '10 at 00:31

danorton

vote

1 answer

Setup Apache 2.2 With SNI Under Ubuntu 8.04

I am trying to setup SNI on a server running Ubuntu 8.04 with openssl 0.9.8g and apache 2.2.8. I know that I need either mod_gnutils or openssl 0.9.8j (I think) to support SNI. Is it possible to do this under Ubuntu 8.04 without having to…

linux apache-2.2 ubuntu sni

asked Jul 21 '10 at 20:53

JamesArmes

vote

1 answer

How to use AD CS to auto-renew certs for securing IIS websites that use SNI?

I have AD CS which automatically provisions and renews machine certificates for servers bound to the directory. (There is a certificate template which controls this auto-issuance.) I have an IIS server bound to the directory which serves some…

active-directory iis sni iis-10 active-directory-adcs

asked Mar 14 '23 at 13:57

NReilingh

vote

2 answers

Linux netfilter NAT based on SNI?

I am trying to do SNI proxying to a subnet on a router while keeping the src IP. Background: I have a router doing DNAT to do port-forwarding for many application ports, and it is connected to a subnet (using a VPN actually) with different backends.…

ssl iptables sni

asked Feb 23 '23 at 23:15

Yuuta Liang

vote

1 answer

SSL alternative names mismatch

Santander want to use our website, however when trying to access it they receive the following error: 'Network Error: Your request contacted a host which presented a certificate signed by an untrusted issuer.' This appears on a page in red text and…

ssl lets-encrypt sni subject-alternative-names

asked Jan 18 '23 at 17:30

Andy

vote

1 answer

Getting AH02032 using TLSv1.2 despite identical SNI server name and Hostname, but SNI has the port number attached. No error in test env. with TLSv1.3

Getting the the error message below despite identical Hostnames. What I don't understand, why the Hostname provided via SNI has the port number attached even though, according to Hostname specification, the colon and port number is not listed as…

ssl openssl sni

asked Jan 08 '23 at 16:19

daniel buettiker

Prev 1 2 3

…

12 13 Next