With the outbreak of the Internet today, more and more attention has been paid to network security issues, which has also brought about the current boom of https. The SSL certificate is the most common solution for the encryption protocol. However, there is a problem in the use of https because of the SSL certificate.
The origin of the problem: Due to the enhancement of server capabilities, deploying multiple virtual hosts on one physical server has become a very popular practice. In the past HTTP era, it was not difficult to solve the problem of hosting multiple websites on the same IP address based on a name-based host. When a client requests a specific website, put the requested domain name as the host in the http header, so that the server can know which domain name service to direct the request to according to the domain name, and send the matching website to the client . But this method is invalid to https, because SSL will not have host information during the handshake process, so the server usually returns the first available certificate in the configuration, which causes the services on different virtual hosts to not use different certificates (But in practice, the certificate usually corresponds to the service.).
In order to solve this problem, SNI was created. The Chinese name of SNI is Server Name Indication. It is an extension of the SSL/TLS protocol and allows multiple SSL certificates to be carried on a single IP address. The implementation of SNI is to insert the HTTP header into the SSL handshake and submit the requested Host information so that the server can switch to the correct domain and return the corresponding correct certificate.
SNI (Server Name Indication) is defined in RFC 4366. It is a technology used to improve SSL/TLS and is enabled in SSLv3/TLSv1. It allows the client to submit the requested Host information when it initiates an SSL handshake request (specifically, the ClientHello phase in the SSL request sent by the client), so that the server can switch to the correct domain and return the corresponding certificate.在 TLSv1.2(OpenSSL 0.9.8)版本开始支持。
