Rohit Vijay

SNI - Server Name Indication

Blog Post created by Rohit Vijay Employee on Nov 15, 2014

What is SNI?

Server Name Indication is an extension of TLS protocol. It indicates the hostname which is being requested by the client at the very beginning of SSL handshake process. This allows a server to connect multiple SSL certificates to one IP address and respond properly.

 

Why is SNI required?

Name based virtual hosting allows multiple DNS hostnames to be hosted by a single web  server on the same IP address. To achieve this the server uses a hostname presented by the client as part of the HTTP protocol. However when using HTTPS the TLS handshake happens before the server sees any HTTP headers. Therefore it is not possible for the server to use the information in the HTTP host header to decide which certificate to present and as such only hostnames included in a single certificate can be served over SSL from the same IP address.

 

SNI addresses this issue by sending the hostname as part of SSL handshake process, thus enabling the server to keep multiple SSL certificates on a single IP address and present the correct one to client.

 

How do we use SNI?

To support SNI the TLS library used by an application (both client & server) must support it.

 

Servers which support SNI

  • Apache 2.2.12 or higher, must use mod_ssl
  • Apache Traffic Server 3.2.0 or higher
  • Nginx with implemented OpenSSL with SNI support
  • F5 Networks Local Traffic Manager, version 11.1 or higher
  • Apache Tomcat on Java 7 or higher
  • Microsoft Internet Information Server IIS 8
  • Browsers which support SNI

 

Desktop Browsers

  • Internet Explorer 7 and later
  • Firefox 2
  • Opera 8 with TLS 1.1 enabled
  • Google Chrome:

         Supported on Windows XP on Chrome 6 and later

         Supported on Vista and later by default

         OS X 10.5.7 in Chrome Version 5.0.342.0 and later

  • Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).
  • Note: No versions of Internet Explorer on Windows XP support SNI

 

Mobile Browsers

  • Mobile Safari for iOS 4.0
  • Android 3.0 (Honeycomb) and later
  • Windows Phone 7

 

Libraries

  • Mozilla NSS 3.11.1[30] client-side only
  • OpenSSL - 0.9.8j (released 07 Jan 2009) through 1.0.0 (released 29 March 2010) - compiled in by default
  • CyaSSL - not compiled in by default, can be compiled in with config option '--enable-sni' or '--enable-tlsx'.[32]
  • PolarSSL since 1.2.0 - compiled in by default
  • libcurl / cURL since 7.18.1 (released 30 Mar 2008) when compiled against an SSL/TLS toolkit with SNI support
  • Python 3.2 (ssl, urllib[2] and httplib modules)

 

Testing SNI

 

Do a Wireshark capture and look at "Client Hello" for TLS Extension

Screen Shot 2014-11-15 at 5.35.06 PM.png

 

OpenSSL Command

 

$openssl s_client -servername www.google.com -connect www.google.com:443 -debug -msg

 

$ openssl s_client -servername www.google.com -connect www.google.com:443

CONNECTED(00000003)

depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

verify error:num=20:unable to get local issuer certificate

verify return:0

---

Certificate chain

0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

   i:/C=US/O=Google Inc/CN=Google Internet Authority G2

1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2

   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIEdjCCA16gAwIBAgIIUpshDlO1NcEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE

BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl

cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMTA1MTIxNjI2WhcNMTUwMjAzMDAwMDAw

WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN

TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3

Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjZEUm

8FaAp7yp/sZwggS0kKSSWvi1GS0iH7pVwyJz9bkP10+ZnAf4vlr/hSfCvbs8ytij

WVOovLZWZjSDnnt0wbmM2SSt7rgTxVJqZTUodBUvQ4LJRYQQkyIaNmRJ7OU6UMMo

Afm9QbpyXui1LAhCKINevBJlaGaBgF5Er5DxMYW6BrrdfoRxMf9g9/yU8lGyEuc6

3RRRcZLSlUiLf5bJ0M5dVkwEGBP6JaNgeq0FH54+B54xc/Vnt/52a8iK3hjvyTXm

zgTmR8D2Um+V9uWX+q+8hZjUa/ANY14cviqq0xkz9R4es03p0pspqG1HNmGjP02w

6smH1MfxvcWjYYqLAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI

KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE

XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0

MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G

A1UdDgQWBBRtX6EjPxBXbNQDimJpzf1pTXLrTzAMBgNVHRMBAf8EAjAAMB8GA1Ud

IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW

eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB

RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQAE1TGWzfRgWJigovSYHobNcuWzmFm1

0Hc9Vcct54PMJfjF8yAUa+oRTjj0PoF+0Gnpw0j5gp/ZlbEzekiWYh7ffWXBmfFN

fjuoY7JCbFm9I/nJ59MvMCLnvrQtSlrr/opg3TW6tRt4rQIFjg4BgEeWEwMRPBqR

L38cupIuLApImrEy8WhX5pp8jtPZd4o4pDPSl4j9wkVkqpL+nwTg9eRErMtoNf+R

hDVeXMI4bbf7iYvG26+sclE/DhUKH6bmGrTFMcND/WF0M654TcwttWUcodSxDyp5

0KaBkXvqX0hzHrhlDr2iiAXzIYTw0WhrtYyiFqmx7eMDrNDG16Lp5hNI

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

---

No client certificate CA names sent

---

SSL handshake has read 3389 bytes and written 437 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : RC4-SHA

    Session-ID: E5F2F287BD35D7A6A0BA142B0C042515867399FE9FCA988EA6037A41F793DFEA

    Session-ID-ctx:

    Master-Key: 0E3A9412018C0DEA0CFF723FC72B0A5D2B217A052C0782C673B86F474A34DEDCD6F7DF9A9402594A869B2A5151554191

    Key-Arg   : None

    TLS session ticket lifetime hint: 100800 (seconds)

    TLS session ticket:

    0000 - 7a fa 91 58 2f d9 8f bf-9b c8 b0 ec 4e 62 85 d9   z..X/.......Nb..

    0010 - 44 d7 c2 13 1a 27 6f 1c-94 cb da 67 0c 4b b0 8e   D....'o....g.K..

    0020 - 73 79 dd 28 c8 11 90 c0-ad 66 13 b4 82 29 fc e2   sy.(.....f...)..

    0030 - 0a 1d 86 a6 8b 38 84 9d-a8 37 e9 8a b7 d6 cd 31   .....8...7.....1

    0040 - 73 14 ac dc 72 10 74 53-16 19 5b 8f ab cf 54 4b   s...r.tS..[...TK

    0050 - 93 99 e1 fd 1e 91 07 e8-88 3f de 89 0d d9 e2 a9   .........?......

    0060 - 66 e8 19 0a f5 9a f1 60-2c 78 54 ef f8 ef 95 7a   f......`,xT....z

    0070 - 96 6c 26 b2 ec 93 d1 33-9b 87 50 31 db a3 52 21   .l&....3..P1..R!

    0080 - 73 ba f2 52 8f da a8 a3-c8 9c 7c bb ad b3 d5 7f   s..R......|.....

    0090 - 84 68 2f 7f 57 95 64 50-b5 d3 ac 51 69 88 2b 20   .h/.W.dP...Qi.+

    00a0 - be 6c 0a f0 d5 77 e1 44-3c 6f 8e ed e2 2e 08 99   .l...w.D<o......

    00b0 - 8b 0f 60 e8                                       ..`.

 

    Start Time: 1416056041

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

Outcomes