https://www.cloudflare.com/zh-cn/learning/ssl/what-is-sni/
The rise of ecommerce and the shift towards an online marketplace necessitated having a secure channel via which sensitive information could be transmitted. SSL/TLS certificates fulfilled this demand by connecting websites over HTTPS and providing a secure, encrypted communication channel between clients and servers. Initially, the only SSL certificates available were organization validated (OV) certificates because they were mostly used by corporations to secure their business transactions. Now, of course, we have several different types of SSL certificates that vary by functionality and validation levels, including SNI and dedicated IP SSLs.随着电子商务的兴起和向在线市场的转变,需要有一个安全的渠道来传输敏感信息。SSL/TLS证书通过HTTPS连接网站,并在客户端和服务器之间提供安全、加密的通信通道,满足了这一需求。最初,唯一可用的SSL证书是组织验证(OV)证书,因为公司主要使用它们来保护其业务事务。当然,现在我们有几种不同类型的SSL证书,它们根据功能和验证级别而有所不同,包括SNI和专用IP SSL。
In simple words, Server Name Indication (SNI) is an addition to the TLS encryption protocol that binds a website hosted on a shared server with its associated SSL certificate using its hostname. IP SSL, on the other hand, binds an SSL certificate to the account with a unique IP address. Before looking at SNI SSL vs IP SSL in terms of a comparative study, let’s get a better understanding of these two terms.简单地说,服务器名称指示(SNI)是TLS加密协议的补充,该协议使用共享服务器上托管的网站的主机名与其关联的SSL证书绑定。另一方面,IP SSL将SSL证书绑定到具有唯一IP地址的帐户。在比较研究SNI SSL与IP SSL之前,让我们更好地了解这两个术语。
SNI SSL vs IP SSL: A Quick OverviewSNI SSL与IP SSL:快速概述
IP-based SSL certificates use the dedicated public IP address of the server on which the website is hosted to map the certificate to the site. In addition to the problem of only a limited number of IPv4 addresses being available, this approach can be expensive — especially when you have multiple websites. (Since webhosts charge a fee for each dedicated IP address.)基于IP的SSL证书使用网站所在服务器的专用公共IP地址将证书映射到站点。除了可用IPv4地址数量有限的问题之外,这种方法可能成本高昂,尤其是当您有多个网站时。(因为网络主机对每个专用IP地址收取费用。)
SNI, an extension to the TLS protocol, allows each domain or website hosted on a shared server under a single IP to be mapped to a separate security certificate. During the TLS handshake, the client hello uses the SNI field to specify the hostname to which it is attempting to connect. The server parses this request and sends back the relevant certificate to complete the encrypted connection.SNI是TLS协议的扩展,允许在单个IP下托管在共享服务器上的每个域或网站映射到单独的安全证书。在TLS握手期间,客户机hello使用SNI字段指定其尝试连接的主机名。服务器解析此请求并发回相关证书以完成加密连接。
Consider the following example:考虑下面的例子:
Bob wants to host more than one site on a virtual server. So fundamentally, one IP address is shared between multiple websites with different hostnames. Bob understands that the server needs to know which of these sites the client wants to connect to and must be able to send out the corresponding certificate. If the server issues the wrong certificate, the client’s connection will fail to establish. This adversely affects his business when customers can’t connect.Bob希望在虚拟服务器上托管多个站点。因此,从根本上说,一个IP地址在多个具有不同主机名的网站之间共享。Bob知道服务器需要知道客户端想要连接到这些站点中的哪一个,并且必须能够发送相应的证书。如果服务器颁发了错误的证书,则客户端的连接将无法建立。当客户无法连接时,这会对他的业务产生不利影响。
Luckily for Bob, SNI allows clients to communicate with the specified hostname on the shared server. So, what does Bob do? He opts for an SNI SSL solution, where the client can tell the server exactly which certificate it’s requesting by referencing its hostname during the TLS handshake.Bob幸运的是,SNI允许客户端与共享服务器上的指定主机名通信。那么,鲍勃是做什么的?他选择了SNI SSL解决方案,在该解决方案中,客户机可以通过在TLS握手期间引用其主机名来准确地告诉服务器它正在请求哪个证书。
In contrast, an IP SSL certificate secures the connection based on a unique IP address.相反,IP SSL证书基于唯一的IP地址保护连接。
数据包分析:在 client hello 包中的 extension 的扩展server_name 中包括
SNI 扩展头
