This article is part of a series that I have started working on. In this series, I’ll be briefly discussing engineering concepts.
Consider you have a server hosting multiple domains
example.com, example2.com, example3.com. Consider a client that makes a request to
example2.com. When the request reaches the server how will the server decide on the certificate it needs to serve?
The server does not know about the domain yet since TLS handshake happens on the TCP layer which knows only about IP addresses and that would be same for all the domains. The domain can only be found out on the application layer.
This is where SNI comes in handy. During TLS handshake in the CLIENT HELLO message, we add which domain/hostname we are trying to connect which is then used by the server to return appropriate certificates.
Ability to host multiple domains on the same server / public IP address
SNI payload is not encrypted, thus the hostname of the server the client tries to connect to is visible. However, this issue is resolved with TLS v1.3.
We will be using Wireshark for this. All you have to do is visit
google.com with Wireshark running.
You can download Wireshark from here
If you check the output in Wireshark you will notice inside ClientHello there is an Extension: server_name that contains information related to SNI.