Server Name Indication (SNI) with IIS 8

By: Jason Bell | Posted on: 27 Apr 2013

Server Name Indication (SNI) is an extension to the TLS protocol that includes the hostname during the handshaking process. This allows for a web server to host multiple SSL-enabled web sites using one IP address. Prior to IIS 8, it was not possible to use this capability in IIS.

Configuration

SNI is enabled in IIS by default. To use this capability, simply provide the appropriate hostname in the configuration of the HTTPS binding for a site.

Binding Configuration

Each HTTPS binding that you would like to use SNI with should have the host name provided. All bindings should have the option for "Require Server Name Identification" checked except fot the site you would like to act as the "default" HTTPS site. Just as is the case with HTTP bindings, this is the site that will be used when a client does not provide a host header as part of the request. If you do not have at least one HTTPS binding with the option unchecked, IIS Manager will issue a warning informaing you of that fact.

Default SSL Site Warning

Compatability

Before using SNI with IIS 8, you should be aware of the client requirements for this to work properly. Specifically, the TLS library used by an application must support SNI and the application must pass the hostname to the TLS library when making requests. The following web browsers support SNI:

  • IE 7 or later on Windows Vista or later
  • Google Chrome (6.0 on XP, 5.0.342.1 on OS X 10.5.7)
  • Mozilla Firefox 2.0 or later
  • Safari 3.0 or later
  • MobileSafari running on iOS 4.0 or later
  • Opera 8.0 or later


comments powered by Disqus