Server Name Indication
Server Name Indication (SNI ) is an extension of the Transport Layer Security Standard ( TLS), which makes it possible that several sites of different domains share a server. When establishing a TLS connection, the client requests, who set up the connection from the server digital certificate. The server sends back the certificate associated with the IP address. To operate the server for different hosts with different certificates with an IP address, it is necessary that the client notifies the server, select the host prior to the submission of the certificate. SNI is an extension of TLS, which allows the client to transmit the information.
The procedure
To check the authenticity of a website as a user on the Internet, one typically uses digital certificates. Since the encrypted connection to the server is already taking place before the requested URL is transmitted, it is not possible with TLS 1.0/SSL-Verschlüsselung to use multiple domains under one IP address ( the so-called virtual hosting ). Reason for this limitation is that the server does not know on several certificates, which certificate is only valid for a domain, he would use. At the time of specification of SSL / TLS, the possibility of virtual hosting was not provided.
In the extended SNI procedure of the domain name is already in the server passed from the browser in the so-called server_name parameter when establishing a connection, so the server can select the appropriate certificate and use the TLS handshake.
The 2003 defined extension (RFC 3546 3.1) thus makes it possible to exploit the limited number of IPv4 addresses better. In April 2006, the RFC has been replaced by RFC 4366, January 2011 through RFC 6066th
Using so-called " wildcard certificates ", you can complete subdomain namespaces cover ( eg *. My - domain.de ). Most certificate providers charge for wildcard certificates but higher fees than for conventional certificates.
Security
The server_name parameter is transferred unencrypted and is thus of a third party who can listen in, easy to spy. The reveals more information than might SSL / TLS without SNI, as the then transmitted server certificate likewise, contains the domain (s ) for which it was issued in plain text. However, if the certificate is valid for multiple domains, or a wildcard certificate is the Ausspähende but does not experience the full requested host name.
Server_name = shop.example.com whereas the SSL certificate for *. example.com is valid. Without SNI Mom did not know then that the site is visited by example.com, however, whether the visitor the shop, has visited the forum etc..
Supported Software
Browser
SNI is supported by the following browsers:
- Mozilla Firefox 2.0 and later
- Opera ( TLS 1.1 must be enabled) 8.0 and later
- Internet Explorer Version 7 and Windows Vista, Windows XP is not supported even with Internet Explorer 8
- Google Chrome
- Safari 3.0 and later (OS X 10.5.6, on Windows Vista)
Browser on mobile systems
SNI is supported by the following browsers to the specified mobile operating systems:
- Android browser from Honeycomb (3.0) on tablets and from Ice Cream Sandwich ( 4.0) on smartphones
- Safari on iOS from iOS 4
- Mozilla Firefox Mobile
- Opera ( Mini & Mobile ) at least version 10.1 on Android
Server
- Apache 2.2.12 or later with mod_ssl, OpenSSL 0.9.8f ≧
- Apache backport of the SNI patch after 2.0.63/win32 with mod_ssl
- Cherokee with TLS support
- IIS 8
- Lighttpd 1.4.24 from, previous versions with SNI patch
- Nginx with OpenSSL SNI support
- Litespeed 4.1.3
- Hiawatha 8.6 or later