Explaining the SNI Hostname in TLS

The SNI (Server Name Indication) hostname is the domain name that a client includes in the TLS handshake when connecting to a server. It allows multiple websites to share the same IP address while using different SSL/TLS certificates.

How SNI Works in TLS

1. Client Sends an SNI Hostname
   • When a client (e.g., browser) initiates a TLS connection, it includes the hostname it wants to connect to in the Client Hello message.
   • This happens before the encrypted session is established.
2. Server Uses the SNI Hostname to Select the Right Certificate
   • If the server hosts multiple domains on the same IP, it uses the SNI hostname to pick the correct SSL/TLS certificate.
   • Without SNI, the server would return a default certificate, possibly causing certificate mismatch errors.

Why is SNI Important?

• Allows multiple HTTPS websites to share one IP address.
• Enables virtual hosting with SSL/TLS (just like HTTP virtual hosts).
• Prevents certificate mismatches in multi-domain setups.

Example: SNI in Action

A server hosts two websites:

• "example.com"
• "secure.example.com"

Both domains share the same IP address ("192.0.2.1"), but each has a different SSL certificate.

Without SNI:

• The server can only use one certificate per IP.
• If a client requests "secure.example.com", but the default certificate is for "example.com", it causes a certificate mismatch error.

With SNI:

• The client sends "secure.example.com" in the TLS Client Hello message.
• The server selects the correct SSL certificate for secure.example.com.