Server Name Indication

Server Name Indication

One of the most common method of encrypting a stream-oriented communication session is the Transport Layer Security (TLS) protocol. It is used, for example, when somebody types "https" in their browser.

In order to guarantee that the site to which the user wanted to connect is actually the site to which the browser connected, TLS compares the user entered host part of the URI with the common name (CN) from the server provided certificate. Should the comparison fail, the browser will warn the user that there is something wrong with the certificate of the site.

Due to the fact that this comparison is done in the early stages of the TLS negotiation, the client receives the server's CN before information which is required to implement virtual hosting (such as the HTTP "host" header) is sent to the server. Therefore, it is impossible to implement secure virtual hosting without having the browser warn the user.

An extension to TLS called Server Name Indication (SNI) addresses this issue by sending the name of the virtual host as part of the TLS negotiation [ [http://journal.paul.querna.org/articles/2005/04/24/tls-server-name-indication/ Paul’s Journal » Blog Archive » TLS Server Name Indication ] ] . This enables the server to "switch" to the correct virtual host early and present the browser with the certificate containing the correct CN.

Support

Browsers

Browsers with support for TLS server name indication [ [https://sni.velox.ch/ TLS SNI Test Site: alice.sni.velox.ch ] ] :
* Mozilla Firefox 2.0 or later
* Opera 8.0 or later (the TLS 1.1 protocol must be enabled)
* Internet Explorer 7 or later
* Google Chrome

Servers

* Apache 2.2.8+ with mod_ssl
* Apache with experimental mod_gnutls
* Cherokee if compiled with TLS support
* New versions of lighttpd 1.4.x and 1.5.x [ [http://trac.lighttpd.net/trac/ticket/386 #386 (TLS servername extension (SNI) for namebased TLS-vhosts) - lighttpd - Trac] ]
* Nginx with an accompanying OpenSSL built with SNI support

Unsupported Operating Systems and Browsers

The following combinations do not support SNI.
* Windows XP and Internet Explorer 6 or 7
* Mac OSX and Safari 3

References

External links

* [http://www.ietf.org/rfc/rfc3546.txt RFC3546]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем решить контрольную работу

Look at other dictionaries:

  • Server Name Indication — ist eine Erweiterung zur Verschlüsselung der Datenübertragung im Internet mit Transport Layer Security (TLS). Sie ermöglicht es, mehrere verschlüsselte Internetangebote mit unterschiedlichen Domains unter nur einer Internetadresse (IP) zu… …   Deutsch Wikipedia

  • Secure Server Line — In diesem Artikel oder Abschnitt fehlen folgende wichtige Informationen: Informationen über SSL Change Cipherspec. Protocol, SSL Alert Protocol, SSL Application Data Protocol Du kannst Wikipedia helfen, indem du sie recherchierst und einfügst …   Deutsch Wikipedia

  • Root name server — A Cisco 7301 router, part of the AMS IX mirror of the K root server. A root name server is a name server for the Domain Name System s root zone. It directly answers requests for records in the root zone and answers other requests returning a list …   Wikipedia

  • Domain name — A domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System (DNS). Domain names are used in… …   Wikipedia

  • Microsoft SQL Server — Developer(s) Microsoft Stable release SQL Server 2008 R2 (10.50.2500.0 Service Pack 1) / July 11, 2011; 4 months ago …   Wikipedia

  • Domain Name System — Pour les articles homonymes, voir DNS. Domain Name System Fonction Traduction de nom de domaine en adresse IP …   Wikipédia en Français

  • Domain Name Server — Domain Name System Pour les articles homonymes, voir DNS. Pile de protocoles 7 • Application 6 • …   Wikipédia en Français

  • Domain Name Service — Domain Name System Pour les articles homonymes, voir DNS. Pile de protocoles 7 • Application 6 • …   Wikipédia en Français

  • Domain name system — Pour les articles homonymes, voir DNS. Pile de protocoles 7 • Application 6 • …   Wikipédia en Français

  • Hypertext Transfer Protocol Secure — HTTPS (Hypertext Transfer Protocol Secure) Familie: Internetprotokollfamilie Einsatzgebiet: Verschlüsselte Datenübertragung Port: 443/TCP HTTPS im TCP/IP‑Protokollstapel: Anwendung HTTP …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”