Server Name Indication

This article is part of a series that I have started working on. In this series, I’ll be briefly discussing engineering concepts.

2/n

SNI

What

Consider you have a server hosting multiple domains example.com, example2.com, example3.com. Consider a client that makes a request to example2.com. When the request reaches the server how will the server decide on the certificate it needs to serve?
The server does not know about the domain yet since TLS handshake happens on the TCP layer which knows only about IP addresses and that would be same for all the domains. The domain can only be found out on the application layer.
This is where SNI comes in handy. During TLS handshake in the CLIENT HELLO message, we add which domain/hostname we are trying to connect which is then used by the server to return appropriate certificates.

Why

Ability to host multiple domains on the same server / public IP address

Issue

SNI payload is not encrypted, thus the hostname of the server the client tries to connect to is visible. However, this issue is resolved with TLS v1.3.

Demo

We will be using Wireshark for this. All you have to do is visit google.com with Wireshark running.

You can download Wireshark from here

Client Hello
SNI

If you check the output in Wireshark you will notice inside ClientHello there is an Extension: server_name that contains information related to SNI.

That’s about it! Thank you for reading, and I hope you enjoyed the article. If you did make sure to give it a clap :)

You can also follow me on Medium and Github. 🙂

Product Engineer GO-JEK | GSoC 2018 @openMF | Mobile | Backend | mohak1712 everywhere

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store