How SNI Works and Why It Fails
How SNI Works and Why It Fails
SNI extends TLS protocol by adding hostname information during handshake initiation. Servers use this information to select appropriate certificates before encryption begins. Without SNI, servers must present default certificates, causing domain mismatch errors for non-default sites.
Test SNI functionality:
# Test specific SNI hostname
openssl s_client -connect example.com:443 -servername example.com -showcerts
# Compare with non-SNI request
openssl s_client -connect example.com:443 -noservername -showcerts
# Test multiple SNI hosts on same IP
for host in site1.com site2.com site3.com; do
echo "Testing $host:"
echo | openssl s_client -connect shared-ip:443 -servername $host 2>/dev/null | openssl x509 -noout -subject
done