Server Name Indication
This article is part of a series that I have started working on. In this series, I’ll be briefly discussing engineering concepts.
2/n
What
Consider you have a server hosting multiple domains example.com, example2.com, example3.com. Consider a client that makes a request to example2.com. When the request reaches the server how will the server decide on the certificate it needs to serve?
The server does not know about the domain yet since TLS handshake happens on the TCP layer which knows only about IP addresses and that would be same for all the domains. The domain can only be found out on the application layer.
This is where SNI comes in handy. During TLS handshake in the CLIENT HELLO message, we add which domain/hostname we are trying to connect which is then used by the server to return appropriate certificates.
Why
Ability to host multiple domains on the same server / public IP address
Issue
SNI payload is not encrypted, thus the hostname of the server the client tries to connect to is visible. However, this issue is resolved with TLS v1.3.
Demo
We will be using Wireshark for this. All you have to do is visit google.com with Wireshark running.
You can download Wireshark from here
If you check the output in Wireshark you will notice inside ClientHello there is an Extension: server_name that contains information related to SNI.
