One Address Many Sites
A single server IP address often hosts many websites. With plain HTTP the request line names the host, so the server knows which site is wanted. But TLS sets up encryption before the HTTP request is sent, creating a chicken and egg problem: which certificate should the server present if it does not yet know the hostname?
What SNI Adds
Server Name Indication, or SNI, is a field in the ClientHello at the very start of the TLS handshake. The client states the hostname it wants to reach.
- The server reads SNI before choosing a certificate.
- It presents the certificate matching that hostname.
- One IP can thus serve many secure sites, each with its own certificate.
Why It Was Needed
Before SNI, each TLS site effectively needed its own IP address, which wasted scarce addresses. SNI made large scale virtual hosting and shared hosting providers practical.
A Privacy Note
Classic SNI is sent in the clear, so an observer can see which hostname you requested even though the rest of the handshake is private. Encrypted Client Hello is a newer extension that hides the requested name, closing that gap.
Key idea
Server Name Indication carries the desired hostname in the ClientHello so one IP can present the right certificate for many sites, though classic SNI is visible until Encrypted Client Hello hides it.