Server Name Indication

This article is part of a series that I have started working on. In this series, I’ll be briefly discussing engineering concepts.




Consider you have a server hosting multiple domains,, Consider a client that makes a request to When the request reaches the server how will the server decide on the certificate it needs to serve?
The server does not know about the domain yet since TLS handshake happens on the TCP layer which knows only about IP addresses and that would be same for all the domains. The domain can only be found out on the application layer.
This is where SNI comes in handy. During TLS handshake in the CLIENT HELLO message, we add which domain/hostname we are trying to connect which is then used by the server to return appropriate certificates.


Ability to host multiple domains on the same server / public IP address


SNI payload is not encrypted, thus the hostname of the server the client tries to connect to is visible. However, this issue is resolved with TLS v1.3.


We will be using Wireshark for this. All you have to do is visit with Wireshark running.

You can download Wireshark from here

Client Hello

If you check the output in Wireshark you will notice inside ClientHello there is an Extension: server_name that contains information related to SNI.

That’s about it! Thank you for reading, and I hope you enjoyed the article. If you did make sure to give it a clap :)

You can also follow me on Medium and Github. 🙂

Product Engineer GO-JEK | GSoC 2018 @openMF | Mobile | Backend | mohak1712 everywhere

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store