发新话题
打印

SAN 和 SNI 的区别

SAN 和 SNI 的区别

SAN (Subject Alternative Name) is part of the X509 certificate spec, where the certificate has a field with a list of alternative names that are also valid for the subject (in addition to the single Common Name / CN). This field and wildcard names are essentially the two ways of using one certificate for multiple names.

SNI (Server Name Indication) is a TLS protocol extension that is sort of a TLS protocol equivalent of the HTTP Host-header. When a client sends this, it allows the server to pick the proper certificate to present to the client without having the limitation of using separate IP addresses on the server side (much like how the HTTP Host header is heavily used for plain HTTP).

SNI is conducted on the client side and tells TLS stack "I want to talk to a server whose name is [Server X]". Server sees this [Server X] string and replies with an appropriate certificate. One practical example is when a single server needs to serve traffic for multiple domains. It is also useful if client used an IP (to avoid DNS lookup delays) but certificate CN does not mention the IP.

SAN is a list of "Also Known As" in certificates. This way server may use a single certificate for many names. One can add many domains to the same certificate and even a list of IPs.

As you can see, things overlap. Choosing between one or both depends where one has control over. Some clients might not recognize names in SAN and the only way to address that is through providing appropriate certificate based on SNI. There are scenarios which server provides API for a single certificate or client does not send SNI. For these cases, SAN is the only way out.

原文: https://serverfault.com/questions/807959/what-is-the-difference-between-san-and-sni-ssl-certificates

TOP

发新话题