Server Name Indication and SSL Certification
SNI stands for server name identification and is an extension to the TLS protocol that allows the client to pass a virtual host name on to the web server as part of the TLS handshake process.
This virtual host name can then be used to determine which certificate should be used for that particular connection.
There is nothing new in using virtual host names to determine which content should be delivered to the client – in fact this process is common practice when delivering web content for many different websites from a single server – however this exchange of virtual host names is normally facilitated in the headers (which are sent after the TLS connection is negotiated) and therefore could not normally be used for determining which SSL certificate to present.
The benefits of SNI
SNI changes the way in which the virtual host names are sent and makes it possible to use these virtual host names as a method of determining which SSL certificate should be presented.
The benefit of using SNI is that multiple certificates can be used with a single IP address. Traditionally it would be very difficult to achieve this because each certificate is bound to the IP address that it is responsible for. Without SNI the only way that you could protect multiple domains with a single IP address would be to use a UCC certificate which allows the use of multiple domains and/or wildcard entries in the subjectAltName field.
This is fine for protecting several domains at setup but the limitations are that every time the list of domains changes the certificate has to be re-issued so this is not practical when the list of domains is changing regularly.
Because of this the only practical way of protecting many domains is to have a separate IP address for each domain (or small group of domains) that requires a secure connection. This can be costly and ultimately is responsible for making hosting more expensive as a result.
SNI SSL vs IP SSL
The major difference between SNI SSL and IP SSL is the fact that a separate IP address is no longer required for each domain or group of domains that needs to be secured. With SNI SSL many certificates can be assigned, each to different domains, using a single IP address. In term this reduces the costs and complexities involved with hosting the domains and this reduction in cost can be passed on to the end users.
The downside of SNI SSL is that not all browsers support the enhanced protocol and any unsupported browsers are likely to show a certificate warning.
SNI SSL Browser Support
The support for SNI SSL is growing every day and does cover the majority of modern web browsers and server software.
The major limitation in SMI SSL support is the requirement to use the SCHANNEL component which did not ship with operating systems until Windows Vista and onwards. Because of this SNI SSL is not supported by any browsers in Windows XP or Server 2003.
The system is supported by IE7 and onwards, Firefox 2.0 and onwards, Google Chrome 6 and onwards as well as a multitude of other browsers including desktop and mobile variants. A full list of supported browsers as well as supported server side technologies can be found here.