TLS extension to support multiple certificates for virtualhosts

Server Name Indication (SNI) means that a compatible TLS client can send a hostname (aka. "server_name" field) in it's Client Hello message to the server indicating what virtualhost it wants to connect to and a compatible server can pick the right TLS certificate from it's configuration. This extension to the TLS standard aims to solve the SSL/TLS vs. single-IP virtualhosts problem.

SNI was first proposed in June 2003. However it took quite some time to get this into the most popular linux web server (Apache2) and to get it into the very popular Debian linux distribution. Apache got SNI support with v2.2.12 which arrived in Debian 6.* (squeeze) on 28th July 2009. But it was only on 6th February 2011 that Debian 6.0 got officially released and became "stable".

All in all, it took approximately 8 years from the birth of the RFC to the release of the first stable Debian version with support for SNI. Wow. Sad

If you want to test your server's SNI capabilities and/or configuration, you can use openssl's s_client command with it's "-servername" option:
openssl s_client  -servername -connect

Syndicate content