The Server Name Indication protocol (SNI) allows a web server such as Apache to determine the domain name for which a particular secure incoming connection is intended outside of the page request itself.
While that may not sound like much, its impact is quite significant.
What SNI Means for You
Prior to SNI, a website needed to have a dedicated IP address in order to have an SSL certificate installed. Now, however, multiple sites sharing a single IP all can have their own SSL certificates.
A modern web server is able to serve multiple domains from a single IP address because it uses a virtual host to map each domain name to an associated document root. That process doesn’t work for secure requests, though, because the secure connection is negotiated prior to any headers being sent.
As such, the server only can present the SSL certificate that is installed on the IP address targeted by the inbound connection, so each domain name making use of secure connections must have its own dedicated IP address.
SNI changes this by allowing virtual hosts to be used for HTTPS requests as well. It does so by extending the Transport Layer Security (TLS) protocol to include the domain name as part of the process of negotiating a secure connection. Since SNI allows the web server to know the specific domain for which an incoming connection is intended, it can present the SSL certificate associated with that domain and complete the secure connection.
Does Your Server Support SNI?
It’s important to note that all modern browsers on currently supported operating systems now support SNI (anything running on Windows XP does not, nor do smartphones running an operating system older than about five years). Whether your cPanel server also supports the protocol depends on a few key factors:
- The server’s operating system must be CentOS 6 or higher.
- The server’s cPanel version must be 11.38/40 or higher.
- The version of Apache running on the server must be 2.2 or higher.
If your server meets all three of those criteria, it supports SNI and you can have multiple sites with SSL certificates on the same IP address. There is no setting to enable or disable, and no configuration files need to be adjusted for SNI to work; it does so automatically on any supported server.
Tagged with: SNI