All Products
Search

This Product

    :HTTPS access issues caused by SNI

    Document Center

    :HTTPS access issues caused by SNI

    Last Updated:Jun 15, 2026

    What is SNI?

    Virtual hosts allow multiple domain names to share a single IP address, which helps address the shortage of IPv4 addresses. A server routes requests to different domain names (virtual hosts) based on the `host` in the client request.

    This creates a problem for HTTPS servers that host multiple domain names on a single IP address. Before the TLS handshake completes, the server does not know which domain name the client is requesting and cannot present the correct certificate for the target virtual host.

    Server Name Indication (SNI) solves this problem by requiring the client to specify the target domain name during the TLS handshake. The server then selects the correct certificate to complete the handshake and establish a TLS connection.

    SNI was first proposed in 2004. Most modern browsers, servers, and testing tools support SNI.

    Why do Anti-DDoS Proxy and Web Application Firewall require clients to support SNI?

    Anti-DDoS Proxy and Web Application Firewall (WAF) act as reverse proxies for HTTPS services. You must upload a certificate and private key when you configure HTTPS protection. Because the number of Anti-DDoS Proxy IP addresses and WAF servers is limited, service clusters host multiple domain names on the same servers. Clients must therefore support SNI to interact correctly with Anti-DDoS Proxy and WAF.

    If a browser that does not support SNI accesses a website protected by Anti-DDoS Proxy or WAF, the service cannot determine the requested domain name. The service then falls back to a built-in default certificate, which causes the browser to display a "server certificate not trusted" warning.
    Note Even if the real server has only one domain name and does not share an IP address, the client still needs to support SNI because Anti-DDoS Proxy or WAF acts as a reverse proxy. The client must first establish a connection with Anti-DDoS Proxy or WAF.

    Solutions

    Server-side

    Configure your server to support SNI.

    Client-side

    If your clients do not support SNI, use one of the following solutions:
    • Advise users to switch to a modern browser, such as Google Chrome or Firefox.
    • Do not configure Layer 7 website protection in the Anti-DDoS Proxy service. Instead, configure website protection using Layer 4 port forwarding.
      Note Layer 4 port protection does not protect against CC attacks.
    SNI compatibility
    Note SNI is compatible with TLS 1.1 and later, but it is not compatible with the SSL protocol.
    • Supported desktop browsers:
      • Chrome 5 and later
      • Chrome 6 and later
      • Firefox 2 and later
      • Internet Explorer 7 and later (only on Windows Vista, Windows Server 2008, and later operating systems. No version of Internet Explorer on Windows XP supports SNI.)
      • Konqueror 4.7 and later
      • Opera 8 and later
      • Safari 3.0 and later (only on Windows Vista, Windows Server 2008, and later, or on Mac OS X 10.5.6 and later.)
    • Supported mobile browsers:
      • Android 3.0 Honeycomb and later
      • iOS 4 and later
      • Windows Phone 7 and later
    • Supported servers:
      • Apache 2.2.12 and later
      • Apache Traffic Server 3.2.0 and later
      • Cherokee
      • HAProxy 1.5 and later
      • IIS 8.0 and later
      • Lighttpd 1.4.24 and later
      • LiteSpeed 4.1 and later
      • Nginx 0.5.32 and later
    • Supported command-line tools:
      • cURL 7.18.1 and later
      • wget 1.14 and later
    • Supported libraries:
      • GNU TLS
      • JSSE (Oracle Java) 7 and later (as a client only)
      • libcurl 7.18.1 and later
      • NSS 3.1.1 and later
      • OpenSSL 0.9.8j and later
      • OpenSSL 0.9.8f and later (requires flag configuration)
      • Qt 4.8 and later