In TLS encryption, the server must select and send the certificate based on the destination IP address, before it reads the domain name in the HTTP request. Thus when in a virtual hosting environment, it presents the wrong certificate(usually default for the server) and causes the browser to warn the user of a mismatch in name. An extension to TLS called Server Name Indication(SNI), addresses this issue by sending the name of the virtual domain as part of the TLS negotiation. This enables the server to “switch” to the correct virtual domain early and present the browser with the certificate containing the correct CN (Common Name).
Monday, September 27, 2021