ssl-https-featured

Multiple SSL Certificates to one IP address

Overview

In the past you’ve needed a separate IP address for each SSL website.  With the introduction of Server Name Indication (SNI), you can bind many SSL certificates to a single IP.

What is Server Name Indication (SNI)?

SNI stands for Server Name Indication and is an extension of the TLS protocol.  It indicates which hostname is being contacted by the browser at the beginning of the ‘handshake’-process.  This allows a server to connect multiple SSL Certificates to one IP address.

How SNI works

Browsers that support SNI will immediately communicate the name of the website the visitor wants to connect with during the initialisation of the secured connection, so that the server knows which certificate to send back.  This allows browsers/clients and servers supporting SNI to connect multiple certificates for multiple domainnames to one IP address.

Downsides

SNI is not common practice yet, because some older browsers/systems cannot support the technique.  This is because the SSL/TLS library can be transmitted as part of the request and as part of the operating system.  Some browsers support SNI on all operating systems, but a small number only support SNI on specific operating systems.

Browsers that offer support for SNI:

  • Internet Explorer 7 or higher, on Windows Vista or newer.  (Does not work on Windows XP and Internet Explorer 8)
  • Mozilla Firefox 2.0 or higher
  • Opera 8.0 or higher (the TLS 1.1 protocol must be implemented)
  • Opera Mobile, version must be at least 10.1 beta on Android
  • Google Chrome (Windows Vista or newer, Windows XP requires Chrome 6 or higher, OS X 10.5.7 or newer requires Chrome 5.0.342.1 or higher)
  • Konqueror/KDE 4.7 or higher
  • MobileSafari for Apple iOS 4.0 or newer
  • Android standard browser on Honeycomb (v3.x) or higher
  • Windows Phone 7

The following servers that support SNI:

  • Apache 2.2.12 or higher, must use mod_ssl
  • Apache Traffic Server 3.2.0 or higher
  • Cherokee, must have TLS support implemented
  • F5 Networks Local Traffic Manager, version 11.1 or higher
  • G-WAN Web app. Server, must use OpenSSL with SNI support
  • Apache Tomcat on Java 7 or higher
  • Microsoft Internet Information Server IIS 8
  • Saetta Web Server via OpenSSL
  • Citrix NetScaler 9.2 or higher
  • HAProxy 1.5 or higher

Leave a Reply

Your email address will not be published. Required fields are marked *