SNI and Virtual hosting
In the early days of HTTP, dedicated physical servers were used to host single websites. Virtualization replaced the dedicated servers. This paved the way for a single webserver to host multiple domains, i.e., on the same webserver now you could host multiple websites using the same IP but different port numbers⁹.
The next step in virtual shared hosting was hosting different websites on the same IP using the same port. This was still fine as long as the client could tell the server (HOST field in HTTP GET) which domain it intends to connect to.
Then came along the SSL certificates which made communication between client and server secure. But, the shared hosting became problematic using SSL certificates. Since the webserver was now shared between multiple organizations and each organization wants to present their SSL certificates to serve the incoming client request.
The fundamental question is — which certificate should the server present to the client during the TLS handshake if the server does not know which domain the client is trying to connect to? Remember, the HTTP GET request (which carries the hostname) comes after SSL/TLS handshake.
SNI (Server Name Indication) extension comes handy in this situation — using SNI, the client could specify the website hostname¹⁰ aka domain name during the SSL/TLS handshake.
Let’s break down what is happening in the figure above.
Here, the server hosts three different websites — example.com, test.com, and company.com on port 443. The client connects to the webserver and during the TLS handshake, it tells the server it wants to connect to the “example.com’ website using the SNI field. The server sends the “example.com” certificate to the client which the client verifies and the TLS handshake is completed.
How can we host multiple websites using the same IP address and same port number on a webserver?
Let’s take an example of a Windows webserver (IIS) — on IIS, each website is identified by the unique combination of IP:Port:Hostname¹¹. So, if we want to host multiple websites on the same port and same IP address, the hostname has to be unique to keep the triad unique. This indeed is the case as the hostname is unique for each of the hosted websites.
PRO TIP — For virtual hosting, we create an A record pointing hostname to the server IP address. Also, the SSL/TLS certificates should match the Common Name (CN), typically the hostname entered into DNS.
Thinking along similar lines of a single webserver hosting multiple websites — can two or more servers use the same SSL certificate?¹² ¹³
The answer is — Yes. Firstly, all the server’s names (all servers where the certificate would be installed, same as DNS names of servers) should be enlisted in the SAN field of the certificate. Secondly, each of the servers would need the private key of the certificate.
PRO TIP — We need to take extreme care while sharing the private keys of certificates — some of the recommended methods include using SSH, packing the private key & certificate into a PFX file, and protecting it via password¹³. But best security risk containment would be to not share private keys at all.
Let’s break down what is happening in the figure above — here, the user is trying to access “example.com” from their laptop. The hostname of the user’s laptop is “PC123” whereas the hostname of the server hosting the “example.com” website is “server1.example.com” which the user never needs to know.
PRO TIP — A server name is simply the name of a computer. For webservers, this name is typically not visible to end-users.
I hope you find this article helpful and stay tuned for my next post.
Until then!
Happy Learning 😎
References:
[9] https://www.ssl.com/article/sni-virtual-hosting-for-https/
[10] https://www.cloudflare.com/learning/ssl/what-is-sni/
[11] http://woshub.com/run-multiple-websites-on-the-same-port-and-ip-address-on-iis/
[12] https://theinfinitekitchen.com/faq/quick-answer-can-i-use-ssl-certificate-on-multiple-servers/
[13] https://security.stackexchange.com/questions/62690/can-i-use-a-single-ssl-cert-on-two-different-servers
[14] https://aboutssl.org/ssl-guide/
[15] https://cheapsslsecurity.com/blog/your-ssl-validation-guide/
[16] https://www.hdfcbank.com/
[17] http://www.differencebetween.net/technology/difference-between-hostname-and-server-name/
