White Paper SSL - Automate DV ordering process
What is SNI?
SNI stands for Server Name Indication and is the solution for the original limitation that an SSL secured website must run on a dedicated, unique IP address. To understand how it works, it is important to know that a secure session between a browser (or other client) and a server starts with a handshake process. During this handshake, both sides exchange information that allows them to ensure each other's identity.
As the basics for encryption is security, not being able to intercept what's being sent, originally this handshake happened on the level of IP address: the client first searches for the IP address of the hostname to resolve and starts the connection to that IP address. Anybody eavesdropping the connection can only see the IP address, but not the domain name or host name being used. Because only the IP address is sent, the server does not know the requested domain name. Exactly for that reason secured websites used to require a unique IP address.
Server Name Indication is an extension to the TLS protocol and allows the handshake to include the hostname. Rather than just sending 10.0.0.1, it sends "domain.com". The server knows the hostname, and as a result the server can distinguish between domain1.com running on 10.0.0.1 and domain2.net running on 10.0.0.1 as well. This allows for securing multiple host names on the same IP address.
The drawback is of course that a small piece of privacy is lost: somebody eavesdropping knows the domain (but only the domain, not the full URL!) that is being connected to. The advantage on the other hand is greatly simplified management for people hosting more than one website on a server. Simplified in such an extend, that full automated provisioning and installing is possible, and that is what this white paper is about.
A second drawback is that not all servers and browsers support SNI, although lack of support is rapidly reducing. For the latest list of supporting clients and servers, we'd like to refer to the Wikipedia page on SNI.