Lightboard Lessons: TLS Server Name Indication
Server Name Indication (SNI) is an extension to the TLS protocol that allows the client to include the requested hostname in the first message of the SSL handshake (Client Hello). Prior to the introduction of SNI, the client could not easily establish secure connections to multiple servers hosted on a single IP address. Because SNI lets the client identify the intended secure server during the initial part of the TLS handshake, it allows the server to host more than one secure website on a single IP address. In this Lightboard Lesson video, John explains the details of SNI and how you can configure it on your BIG-IP. Enjoy!
Related Resources:
- ltwagnonRet. Employee
@Fulmetal...great question! I'm only speculating here on the motivation behind HTTP/2 requiring SNI when using TLS, but it does make sense that the new/improved HTTP/2 protocol makes it necessary to ensure the client will receive the correct certificate when establishing the TLS handshake (by the way, TLS is not actually mandatory when using HTTP/2 per the RFC, but all the major browsers won't use HTTP/2 without encryption). With the improvements in the more modern protocol(s), you would expect that some of these types of features (TLS SNI being one of them) would become more and more mandatory as technology advances. What was once a "nice to have" security feature has now become an expected part of doing business in today's more advanced, feature-rich Internet. I wouldn't doubt if this trend continues with other features (security and otherwise) as well. Hope this helps!
- FulmetalNimbostratus
Great John ! You presented few month ago HTTP 2 protocol and it seems it require TLS SNI ext , HTTP/2 clients MUST indicate the target domain name when negotiating TLS, have an idea why this is mandatory ? Many Thks again John
- SqueakCirrus
Awesome explanation of SNI, keep up the good work :)