Server Name Indication

Server Name Indication (SNI) support for IBM® HTTP Server allows you to use certificate selection, based on the SNI extension that is sent by TLS clients. It does allow you to use other handshake-related settings from a name-based virtual host.

Definitions for SNI

  • Each virtual host with a matching address-spec, such as "*:443", forms a name-based virtual host group.
  • The first listed virtual host in a name-based virtual host group is the default virtual host.

Requirements for SNI

  • The default virtual must specify the SNI argument to the SSLServerCert directive.
  • Only virtual hosts with a single address-spec (such as "*:443") can participate in SNI.
  • Non-default virtual hosts for a name-based virtual host must not contain directives from this module other than SSLServerCert.
  • "invalid" is a reserved server name. Virtual hosts must not specify "ServerName invalid".
Forms of SNI
There are two forms of SNI:
  1. In the first form of SNI, only a single virtual host is used, and the SSLSNIMap directive is used to map between host names and certificate labels.
    <virtualhost *:443>
      ServerName example.com
      SSLEnable SNI
      SSLServerCert default
      SSLSNIMap a.example.com sni1-rsa
      SSLSNIMap a.example.com sni1-ecc
      SSLSNIMap b.example.com sni2
    </virtualhost>
  2. In the second form of SNI, a series of virtual hosts are created, and the mapping from hostnames to certificate labels is via ServerName, non-wildcard ServerAlias, and SSLServerCert.
    <virtualhost *:443>
      ServerName example.com 
      SSLEnable SNI
    </virtualhost>
    <virtualhost *:443>
      ServerName a.example.com 
      SSLEnable 
      SSLServerCert sni1
    </virtualhost>
    <virtualhost *:443>
      ServerName b.example.com 
      ServerAlias other.example.com
      SSLEnable
      SSLServerCert sni2
    </virtualhost>

Icon that indicates the type of topic Reference topic



Timestamp icon Last updated: March 23, 2018 0:23
File name: rihs_sni.html