{"id":6680,"date":"2015-11-16T08:52:27","date_gmt":"2015-11-16T08:52:27","guid":{"rendered":"http:\/\/www.esds.co.in\/blog\/?p=6680"},"modified":"2020-01-08T07:37:16","modified_gmt":"2020-01-08T07:37:16","slug":"multiple-ssl-on-the-same-ip-using-sni","status":"publish","type":"post","link":"https:\/\/www.esds.co.in\/blog\/multiple-ssl-on-the-same-ip-using-sni\/","title":{"rendered":"Multiple SSL on the Same IP using SNI"},"content":{"rendered":"<h1><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6681 size-full\" src=\"https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/Multiple-SSL-with-SNI.png\" alt=\"Multiple SSL with SNI\" width=\"674\" height=\"379\" srcset=\"https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/Multiple-SSL-with-SNI.png 674w, https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/Multiple-SSL-with-SNI-300x169.png 300w, https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/Multiple-SSL-with-SNI-660x371.png 660w\" sizes=\"auto, (max-width: 674px) 100vw, 674px\" \/><\/h1>\n<h2><span class=\"ez-toc-section\" id=\"Why_we_need_to_use_IPs_more_judiciously\"><\/span>Why we need to use IPs more judiciously?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\">While thinking or arguing about depletion of IPv4 addresses and how to use them more efficiently get a little bit complex when you see an approach of the Internet community which is aggressively pursuing a massive convergence of secure communication over IP. There is no doubt switching to IPv6 is inevitable, as the technical and economic consequences for the growth of the Internet are potentially important.<\/p><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.esds.co.in\/blog\/multiple-ssl-on-the-same-ip-using-sni\/#Why_we_need_to_use_IPs_more_judiciously\" >Why we need to use IPs more judiciously?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.esds.co.in\/blog\/multiple-ssl-on-the-same-ip-using-sni\/#Prevention_is_better_than_the_cure\" >Prevention is better than the cure!<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.esds.co.in\/blog\/multiple-ssl-on-the-same-ip-using-sni\/#When_the_going_gets_tough_the_tough_get_going\" >When the going gets tough, the tough get going!<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.esds.co.in\/blog\/multiple-ssl-on-the-same-ip-using-sni\/#So_how_exactly_SNI_works_to_setup_multiple_SSL_on_different_sites_with_a_single_IP_address_Here_is_the_answer\" >So how exactly SNI works to setup multiple SSL on different sites with a single IP address? Here is the answer!<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.esds.co.in\/blog\/multiple-ssl-on-the-same-ip-using-sni\/#Legacy\" >Legacy<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.esds.co.in\/blog\/multiple-ssl-on-the-same-ip-using-sni\/#Here_is_the_process_of_SSL_handshake_between_client_and_IIS_7x_and_in_the_earlier_version\" >Here is the process of SSL handshake between client and IIS 7.x and in the earlier version:<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.esds.co.in\/blog\/multiple-ssl-on-the-same-ip-using-sni\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n\n<p style=\"text-align: justify;\">The idea of rapid adoption of IPv6 to replace and save IPv4 <span id=\"b6552a27-d414-4abe-ba68-e5b600410f0c\" class=\"GINGER_SOFTWARE_mark\">stock<\/span> led by the major players on the Net, Google, Facebook and Yahoo are some of the names, an initiative of \u201cWorld IPv6 Day\u201d also led by these giants to sensitize stakeholders and operators around the world to accelerate the inevitable transition to IPv6. Just remember that it is urgent that CIOs anticipate with the help of their suppliers, a shortage situation. Though IPv6 will provide access to an almost infinite <span id=\"d347a574-9510-4415-8cdb-fd43912d1456\" class=\"GINGER_SOFTWARE_mark\">numbers<\/span>, but just imagine if IPv6 also gets exhausted, then what will you do?<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Prevention_is_better_than_the_cure\"><\/span>Prevention is better than the cure!<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\">So how to stop the wastage of IP addresses? Now, it\u2019s a time to jump in to our main subject \u201cusing multiple SSL on the same IP with SNI\u201d, which contributes its part to save IPv4 and probably will avoid the future shortage scenario as well.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"When_the_going_gets_tough_the_tough_get_going\"><\/span>When the going gets tough, the tough get going!<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Having separate SSL certificates for each website traditionally required the separate dedicated IP addresses. But now the process has been streamlined through the use of SNI (i.e. Server Name Indication) that drives a website visitor the certificate which matches the requested server name. To be safe, better just order a dedicated IP is no longer a case due to the SNI support.<\/p>\n<h3 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"So_how_exactly_SNI_works_to_setup_multiple_SSL_on_different_sites_with_a_single_IP_address_Here_is_the_answer\"><\/span>So how exactly SNI works to <span id=\"2b24eb1e-e5f3-42fb-8353-0637441c82d6\" class=\"GINGER_SOFTWARE_mark\">setup<\/span> multiple SSL on different sites with a single IP address? Here is the answer!<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6683\" src=\"https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/ssl_handcheck2.png\" alt=\"ssl_handcheck2\" width=\"587\" height=\"700\" srcset=\"https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/ssl_handcheck2.png 763w, https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/ssl_handcheck2-252x300.png 252w, https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/ssl_handcheck2-660x787.png 660w\" sizes=\"auto, (max-width: 587px) 100vw, 587px\" \/><\/p>\n<p>1. The HTTPS headers aren\u2019t available to the server during SSL handshake when the client sends a HTTPs request. Once the process gets completed the client will able to encrypt the headers and can send the encrypted HTTP request to the server. As a result, until the request isn\u2019t encrypted the server cannot access the HTTP headers or content. Hence, the problem smiles at our face :).<\/p>\n<p>2. The IP address and the Port number <span id=\"9b368a4b-5eca-4a8f-b3c6-5bf987e070bd\" class=\"GINGER_SOFTWARE_mark\">is<\/span> the only info available to the server in advance to decrypt the request. And this is open through the TCP headers as only the HTTP headers are encrypted. But this is a limitation as only a single certificate can be guaranteed to the combination of &lt;<span id=\"36bab956-e98d-46ba-b62c-7782ca7c22ca\" class=\"GINGER_SOFTWARE_mark\">IPAddress<\/span><span id=\"2fb678c9-4e58-4c31-ad84-3595bcd7a6b1\" class=\"GINGER_SOFTWARE_mark\">&gt; :<\/span>&lt; Port<span id=\"04918b2b-5289-458a-850d-8e65cf5029e6\" class=\"GINGER_SOFTWARE_mark\"> &gt;.<\/span><\/p>\n<p style=\"text-align: justify;\">3. To address this limitation, SNI comes <span id=\"3b9c255b-b1d4-4a73-a8ef-d4ba8bc3aa29\" class=\"GINGER_SOFTWARE_mark\">in<\/span> the picture \u2013 the client sends the name of the virtual domain as of the TLS negotiation. This enables the server to select the exact virtual domain promptly and present the browser with the certificate containing the correct name. Hence, with clients and servers that implement SNI, a server with a single IP address can serve a group of domain name for which it is impractical to get a common certificate.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Legacy\"><\/span>Legacy<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Here_is_the_process_of_SSL_handshake_between_client_and_IIS_7x_and_in_the_earlier_version\"><\/span>Here is the process of SSL handshake between client and IIS 7<span id=\"0941490c-db53-41dc-9f47-079f46d779cd\" class=\"GINGER_SOFTWARE_mark\">.<\/span>x and in the earlier version:<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6688\" src=\"https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/Windows-Live-Writer-4d358dec4c59_DBDB-TLS-handshake-using-SNI_4.jpg\" alt=\"Windows-Live-Writer-4d358dec4c59_DBDB-TLS handshake using SNI_4\" width=\"674\" height=\"370\" srcset=\"https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/Windows-Live-Writer-4d358dec4c59_DBDB-TLS-handshake-using-SNI_4.jpg 1024w, https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/Windows-Live-Writer-4d358dec4c59_DBDB-TLS-handshake-using-SNI_4-300x165.jpg 300w, https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/Windows-Live-Writer-4d358dec4c59_DBDB-TLS-handshake-using-SNI_4-660x362.jpg 660w\" sizes=\"auto, (max-width: 674px) 100vw, 674px\" \/><\/p>\n<p style=\"text-align: justify;\">1. Through TCP handshake the client and the server <span id=\"bdc3aa5d-7550-43b6-836b-6a275dcd777b\" class=\"GINGER_SOFTWARE_mark\">starts<\/span> a TCP connection, then the client sends a \u201cClient Hello\u201d to the server. Again, IP <span id=\"d86da3ef-ac07-44ea-a958-cf19c757f622\" class=\"GINGER_SOFTWARE_mark\">address<\/span> and the Port number <span id=\"3ac1270f-bfdd-40b5-b21d-bb4eb20ea986\" class=\"GINGER_SOFTWARE_mark\">is<\/span> the only available info to the server from Client Hello. As a part of the Client Hello the client sends a particular version of <span id=\"6547605d-5677-4fd4-a666-dc8bce1a695c\" class=\"GINGER_SOFTWARE_mark\">protocol<\/span> and the supported cipher suites list.<\/p>\n<p style=\"text-align: justify;\">2. To find a certificate the sever check hash\/<span id=\"87096323-5800-4f6f-98df-45529bb62b1e\" class=\"GINGER_SOFTWARE_mark\">thumbprint<\/span> matching to the combination of IP: Port. The server then checks the following key to find the combination:<\/p>\n<pre style=\"font-family: monospace; font-size: 0.99em; width: 95%; height: 5%; border: green 2px solid; color: yellow; background-color: #000000;\">HKLM\\SYSTEM\\CurrentControlSet\\Services\\HTTP\\Parameters\\SslBindingInfo<\/pre>\n<p style=\"text-align: justify;\">3. Once it discovers a match key, the crypto API\u2019s called to retrieve the server certificate based on the <span id=\"5e42edd6-5110-4de0-ba2d-f6c0cda44181\" class=\"GINGER_SOFTWARE_mark\">thumbprint<\/span> from <span id=\"ce1f7424-84d0-4143-8324-b81a6e1cca87\" class=\"GINGER_SOFTWARE_mark\">certificate store<\/span>. This is then incorporated to the server Hello and sent to the client.<\/p>\n<p style=\"text-align: justify;\">4. Yet again, the HTTP headers aren\u2019t sent until the handshake is complete, as a result the server never knows which site or application the request relates to till the handshake completes.<\/p>\n<p style=\"text-align: justify;\"><strong>So how SSL handshake process functions amid an SNI compliant browser and SNI compliant server?<\/strong><\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6690\" src=\"https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/sni-ssl-binding-1.png\" alt=\"sni-ssl-binding-1\" width=\"541\" height=\"322\" srcset=\"https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/sni-ssl-binding-1.png 541w, https:\/\/www.esds.co.in\/blog\/wp-content\/uploads\/2015\/11\/sni-ssl-binding-1-300x179.png 300w\" sizes=\"auto, (max-width: 541px) 100vw, 541px\" \/><\/p>\n<p style=\"text-align: justify;\">1. To understand the process functionality we are taking IIS 8 here rather an earlier version, as SSL binding is configured in this version to use SNI.<\/p>\n<p>2. Here also Client Hello sent by the client to the server, but the packet includes the particular version of <span id=\"92c50c0b-8921-4ede-ae88-0377b5ee65bf\" class=\"GINGER_SOFTWARE_mark\">protocol<\/span> and the list of supported cipher suites together with the hostname. The packet includes TCP\/IP headers also contains <span id=\"97adcf9f-2422-48b8-8b56-e60f8ab99b4b\" class=\"GINGER_SOFTWARE_mark\">Port number<\/span> and IP address.<\/p>\n<p>3. To find a certificate hash\/thumbprint matching to the combination of &lt;IP<span id=\"aa6e9871-2c69-4d10-bc71-b1ecfa671c90\" class=\"GINGER_SOFTWARE_mark\">&gt; :<\/span> &lt;Port<span id=\"0ac4b599-307f-446e-b936-b25ca8871cc4\" class=\"GINGER_SOFTWARE_mark\">&gt;,<\/span> <span id=\"d562999e-7229-40ab-8408-962f5bf0c78b\" class=\"GINGER_SOFTWARE_mark\">server<\/span> checks the registry (legacy bindings).<\/p>\n<p>4. If a server doesn&#8217;t find legacy binding for the specific IP: Port, then it uses the available information of Client Hello and check the registry to search a certificate hash\/<span id=\"86af42e1-34b6-4800-90c3-3ee2d0698cf5\" class=\"GINGER_SOFTWARE_mark\">thumbprint<\/span> matching to the combination of &lt;hostname<span id=\"e0d4cc2b-f8ed-4755-816f-e80cf6aeb6be\" class=\"GINGER_SOFTWARE_mark\">&gt; :<\/span> &lt;port<span id=\"493d72b8-000e-4810-b05e-a8eee2d9555f\" class=\"GINGER_SOFTWARE_mark\">&gt;.<\/span> To find the combination, server check for the following key:<\/p>\n<pre style=\"font-family: monospace; font-size: 0.99em; width: 95%; height: 5%; border: green 2px solid; color: yellow; background-color: #000000;\"> HKLM\\SYSTEM\\CurrentControlSet\\Services\\HTTP\\Parameters\\SslSniBindingInfo<\/pre>\n<p style=\"text-align: justify;\">5. In case of the failure of <span id=\"953a452a-bc4a-4f0e-be9a-8f696e7c6bec\" class=\"GINGER_SOFTWARE_mark\">above step<\/span>, then the server may use the IP address available to search a legacy SSL binding for that IP and Port. And if this is even <span id=\"5b5480cb-3da0-44ed-8132-6c705f71382e\" class=\"GINGER_SOFTWARE_mark\">absent then<\/span> the SSL handshake would fail.<\/p>\n<p style=\"text-align: justify;\">6. And if the server discovers a match key, the crypto API\u2019s called to retrieve the server certificate based on the <span id=\"58c24825-a4e1-4d64-a510-d2a64486e672\" class=\"GINGER_SOFTWARE_mark\">thumbprint<\/span>\/certificate hash from the certificate store. The retrieved certificate is then added to Server Hell and sent to the client.<\/p>\n<pre style=\"font-family: monospace; font-size: 0.99em; width: 95%; height: 10%; border: green 2px solid; color: yellow; background-color: #000000;\">Note: The SNI is supported in cPanel\/WHM from 11.38 and above versions.\n<span id=\"4dc2c26c-3242-47b6-9967-7e4528e68590\" class=\"GINGER_SOFTWARE_mark\">CloudLinux<\/span> and RHEL 6 also support SNI.<\/pre>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\">It\u2019s not only important to consider this privilege as a service provider, but it is equally essential for you because many <a href=\"https:\/\/www.esds.co.in\/\"><strong>Hosting Companies<\/strong><\/a> don\u2019t even accept SSL as a valid justification for a dedicated IP request, if they supports SNI. It saves the cost and save the wastage of IP addresses.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to stop wastage of IP addresses? Using SNI technique to use multiple SSL with single IP is a one way to avoid IP wastage. But you may ask why we need to use IPs more judiciously?  Let\u2019s find out the answer together to understand the importance of IPs in the shadow of IPv4 shortage.  <\/p>\n","protected":false},"author":26,"featured_media":6681,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1271],"tags":[1404,1405],"class_list":["post-6680","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-2","tag-sni-ssl-certificate","tag-ssl-sni"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/posts\/6680","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/comments?post=6680"}],"version-history":[{"count":16,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/posts\/6680\/revisions"}],"predecessor-version":[{"id":11189,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/posts\/6680\/revisions\/11189"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/media\/6681"}],"wp:attachment":[{"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/media?parent=6680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/categories?post=6680"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/tags?post=6680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}