SSL (Secure Sockets Layer) and TLS (Transport Layer Security), which is the successor to SSL, provide secure network connections. SSL and/or TLS are commonly used during web browsing (e.g., using HTTPS), email, and other Internet applications. An SSL or TLS client and server negotiate a set of parameters to establish a secure session in a process called a handshake. During the handshake process, the client connects to the SSL/TLS server requesting a secure session and provides cryptographic information including the version and the type of cryptographic algorithms supported by the client. The SSL/TLS server chooses one of the cryptographic algorithms and responds accordingly to the client. The SSL/TLS server also includes its digital certificate. The digital certificate typically includes the server name, a public key associated with the server, the identification and signature of the Certificate Authority (CA) that issued the certificate (the CA may be a trusted third party or may be the domain owner), and other information. The client may contact the CA to confirm the validity of the certificate before proceeding. If the client is not able to confirm validity of the certificate, it may generate a warning to the user and the user may be allowed to choose whether to proceed. The client sends a message to the server that includes a random number used to generate the symmetric encryption keys and the MAC (message authentication code) keys, which is encrypted with the public key of the server. The server responds with a finish message and the SSL handshake ends, at which point encrypted data can be exchanged between the client and the server.
Virtual hosting is a technique where multiple websites (multiple domains) are hosted on a single server. Name-based virtual hosting is a technique where multiple domains share the same IP address. ISPs (Internet Service Providers) that provide hosting capabilities for relatively small websites commonly use virtual hosting as a way to share the cost of resources. Virtual hosting is also commonly used in data centers. In name-based virtual hosting, in the case of an HTTP request, the server determines which virtual host (which website) to send a request to based on the Host header field in the request. In traditional SSL, the handshake procedure (where the server transmits its certificate to the host) occurs prior to the HTTP request. Thus, in traditional SSL, during the handshake procedure, the server does not know the destination host. This causes the server to employ a separate IP address for each virtual host that is configured with SSL. Since IP addresses are an increasingly limited resource (especially IPv4 addresses), having a separate IP address for each virtual host does not scale well and is amplified in a cloud environment across multiple data centers.
TLS, which is the successor to SSL, supports an extension to the handshake procedure called Server Name Indication (SNI). SNI is described in RFC 3546, June 2003. SNI allows the client to transmit the destination host name during the handshake procedure. This allows the server to determine the proper certificate to send to the client. If SNI is used, a server may use name-based virtual hosting without having an IP address for each virtual host and the appropriate certificate can be returned depending on the indicated host. SNI, however, is not supported by all browsers and/or operating systems. As a result, many servers do not support SSL and name-based virtual hosting.