What is SNI (Server Name Indication), and why is it needed?

4 minintermediatesnitls-handshakecertificates

Quick Answer

SNI (Server Name Indication) is a field in the ClientHello message where the client states which domain name it wants, before the TLS handshake finishes. This lets one server, at one IP address, host many different HTTPS websites, each with its own certificate — the server uses the SNI value to know which certificate to present.

Detailed Answer

A single physical server can host many websites at the same IP address, each needing a different TLS certificate. Without extra information, the server would not know which certificate to send back, since the encrypted HTTP request (which contains the Host header) hasn't been sent yet — the certificate has to go out before that.

                     one IP address, many sites:
                     - siteA.com  -> certificate A
                     - siteB.com  -> certificate B
                     - siteC.com  -> certificate C

ClientHello
+ SNI: "siteB.com"          <- sent in plain text, before encryption starts
   ------------------------------------------------->
                                          server looks up siteB.com's certificate
                                          Certificate (for siteB.com)
   <-------------------------------------------------

SNI solves this by having the client include the target domain name directly inside the ClientHello, which is sent before encryption is set up. The server reads the SNI value and picks the matching certificate to send back.

This is what makes shared hosting and CDNs practical — thousands of unrelated HTTPS websites can sit behind the same IP address and the same load balancer, each still getting its own correct certificate.

  • Privacy note — in TLS 1.2 and early TLS 1.3, SNI is sent unencrypted, so a network observer can see which domain you're connecting to, even though the rest of the traffic is encrypted.
  • Encrypted Client Hello (ECH) — a newer extension designed to close this gap, still rolling out across browsers and servers.

Related Resources