Server Name Indication

From Wikipedia, the free encyclopedia

One of the most common method of encrypting a stream-oriented communication session is the Transport Layer Security (TLS) protocol. It is used, for example, when somebody types "https" in their browser.

In order to guarantee that the site to which the user wanted to connected is actually the site to which the browser connected, TLS compares the user entered host part of the URI with the common name (CN) from the server provided certificate. Should the comparison fail, the browser will warn the user that there is something wrong with the certificate of the site.

Due to the fact that this comparison is done in the early stages of the TLS negotiation, the client receives the server's CN before information which is required to implement virtual hosting (such as the HTTP "host" header) is sent to the server. Therefore, it is impossible to implement secure virtual hosting without having the browser warn the user.

An extension to TLS called Server Name Indication (SNI) addresses this issue by sending the name of the virtual host as part of the TLS negotiation^[1]. This enables the server to "switch" to the correct virtual host early and present the browser with the certificate containing the correct CN.

Contents 1 Support 1.1 Browsers 1.2 Servers 2 References 3 External Links

[edit] Support

[edit] Browsers

Browsers with support for TLS server name indication^[2]:

• Mozilla Firefox 2.0 or later
• Opera 8.0 and later (the TLS 1.1 protocol must be enabled)
• Internet Explorer 7

[edit] Servers

• Apache with experimental mod_gnutls
• New versions of lighttpd 1.4.x and 1.5.x ^[3]

[edit] References

[edit] External Links

• RFC3546