SNI (Server Name Indication)
Server Name Indication. A TLS extension that lets the client tell the server which hostname it's connecting to, before the cert is presented. Required for hosting many TLS sites on one IP.
SNI (Server Name Indication, RFC 6066) is the TLS extension that lets a client tell the server "I'm trying to reach acme.com" inside the ClientHello, before any application data flows. The server uses that hint to pick which certificate to serve.
Without SNI, a server on one IP can only serve one TLS cert. With SNI, that same server can serve thousands of certs, picking the right one per connection.
Why SNI is critical for SaaS
A multi-tenant SaaS serves dozens or thousands of custom domains from the same edge IP. When a request comes in for acme.com:
- Client sends ClientHello with
server_name = acme.com. - Edge looks up which cert covers
acme.com. - Edge presents that cert in ServerHello.
- Handshake completes; request flows.
No SNI = the edge can't tell what cert to serve = handshake fails. This is what makes hosting many TLS hostnames on a single IP feasible.
Encrypted SNI (ESNI) and ECH
SNI is sent in the clear in TLS 1.2. Anyone watching the network can see which hostname the client wants. Privacy-conscious folks didn't love this.
- ESNI was an early attempt at encrypting the SNI. Mostly dead.
- ECH (Encrypted Client Hello, RFC 9001 etc.) is the successor. Slowly rolling out in 2025-26. Cloudflare and Chrome support it; many networks haven't caught up.
For most SaaS, SNI being in the clear isn't a problem; it's metadata your users' ISPs already see in DNS lookups.
When SNI is missing
Very old clients (some embedded devices, old Python 2.x, old PHP) don't send SNI. They'll get whatever the "default" cert is on your edge, which probably won't match their requested hostname, and the handshake fails.
In 2026 this is almost never a real problem; the affected clients are 10+ years old.