Server Name Indication (SNI)

The problem:

You have a server with couple of web sites that requires SSL connection on port 443. You want to use only one IP address on that server.

You may think, the server could use the host header to know which web site should receive the request.

The problem though is certificate pickup.

Suppose you have a server called SRV1, with one IP address [10.0.0.1], and the following SSL sites:

When the client tries to connect to http://www.contoso.com, and during the SSL handshake, the client will send HTTPS Hello request to the web server, and at that point, the HTTP headers are not available to the server. Once the SSL handshake is completed, the client will encrypt the headers and send the encrypted HTTP request to the server. So, the server cannot access the HTTP headers during the SSL handshake.

So when the client tries to connect to http://www.contoso.com, the only information available to the server is the IP address and Port. Since the server is hosting two web sites, it has no idea which certificate to use in order to serve the request.

The Solution – SNI:

Server Name Indication (SNI) is an extension to the SSL/TLS protocols that lets an SSL/TLS client (for example, a browser) indicate the exact hostname it tries to connect to at the start of the SSL/TLS handshaking process.

Saying that, during the SSL handshake, the client will send the domain or host name as part of the SSL/TLS handshake, so that the server can select the correct web site and certificate.

Microsoft included SNI support in IIS 8 when adding a new website.

SNI

SNI Supported Clients:

SNI Supported clients

Most hardware load balancer devices like (Netscaler) does not support SNI when connected to the back end service that supports SNI.  Also Andriod Active Sync does not support it as far as i know.

Be Careful

Some applications like Microsoft ADFS 3.0 and Web Application Proxy,  require SNI connections. This may cause problems for clients coming from XP as they do not support SNI.

There is a trick to make this work by configuring an http.sys fallback certificate where IIS will fall back to legacy SSL binding if SNI binding fails.

Check those links link1, link2 and link3 for more details.

Good Read

http://blogs.msdn.com/b/kaushal/archive/2012/09/04/server-name-indication-sni-in-iis-8-windows-server-2012.aspx

http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s