SNI vs Unique IP-Based SSL

Michael OssouThese days, the use of SSL has become much more common. Traditionally, it was mandatory to have your website setup with a unique IP in order to use an SSL certificate.

More recently, SNI based SSL has become available and it has caused some confusion. In this post, I’m going to discuss the topic and hopefully give you enough information so that you can choose whats the best option for you.

First off lets discuss the use of shared IP addresses. As you know, there are a finite amount of publicly accessible unique IP addresses in the world. Thus, there is now usually a cost associated with their use.

Since not everyone needs their own unique IP address, shared IP’s can be used. This means multiple people can use the same unique IP address. In this scenario, even though multiple domains are pointing to the same end point, web servers can differentiate the traffic by parsing the host header in the HTTP request.

This worked great for some people, until they wanted to use SSL. At that point, it was necessary to upgrade to a Unique IP address. SNI allows this requirement to be circumvented. There is one caveat here however. Both the client and the browser must support SNI in order for things to work. We support the use of SNI on the server side, however you will need to decide if your user base also supports it.

This wikipedia article contains a list of supported browsers. I should also mention Windows XP clients do not support the use of SNI.

So assuming you have a user base that consists of modern clients, SNI should meet your needs. One thing to keep in mind is that Everleap employs hardware based load balancers. So if you do elect to go with a unique IP, make sure you read this article.

Rate this article
   

2 Responses
  • Joginder Gujela Reply

    Grear article. I think SNI is going to solve the problem for most user base and its also going to save them the cost for IP. Which is easily between $30-$50.

  • ChrisW Reply

    Another page that lists which browsers support SNI is http://caniuse.com/#feat=sni

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.



oui décor