Overview
This article mainly introduces SNI protocol and Alibaba Cloud CDN support for SNI.
Background information
What is SNI?
With the shortage of IPv4 addresses, in order to allow multiple domain names to reuse one IP address, the concept of virtual hosting is introduced on HTTP servers. The server can distribute the request to different virtual hosts for processing based on the different host names in the client request. However, for HTTPS servers with multiple virtual hosts, before the SSL handshake is established, the server cannot give the request to the corresponding virtual host because it cannot know which host the client is requesting. However, to complete the SSL handshake, the certificate information configured in the virtual host must be read.
SNI(Server Name Indication) is used to solve this contradiction. SNI requires the client to carry the host name information of the access domain name when shaking hands with the server. In this way, the server knows which virtual host's certificate needs to be used to shake hands with the client and establish a TSL connection. SNI was first introduced in 2004 and is now supported by all mainstream browsers, servers, and testing tools.
Principles of SNI Technology
In TLSv1.2, SNI is supported. Specifically, SNI is adding the host name information of the access target to the SSL handshake information. For example, the host name information of "www.taobao.com" exists in the handshake information of accessing the "www.taobao.com" domain name.
Alibaba Cloud CDN support for SNI
By default, SNI forwarding is not enabled for the Alibaba Cloud CDN. If SNI is enabled for your Alibaba Cloud Content Delivery Network origin server, you can submit a ticket to Alibaba Cloud Technical Support and enable the SNI forwarding feature for your domain name.
Applicable scope
-
CDN