Problem Description
The TLS protocol extension SNI (Server Name Identification) field is empty, does it mean that there is only one website on an IP, rather than hosting multiple websites?
The answer is yes. The SNI field is empty, which means that the server is exclusive and only provides one-to-one service for a website.
HTTP
A hosting server (Host Server), if hosting a plaintext http service, only relying on the hostname and domain fields in the Http Header, you can tell which website the client wants to connect to, and then return the web page requested by the client to Client.
HTTPS
Why can't Https be like Http? Why do we need a brand new SNI field to distinguish who is the real destination server?
Because after the client and the hosting server establish a TCP connection, the TLS security handshake is performed immediately, and there is nothing http at all.
The most critical step in the secure handshake is that the hosting server pushes the certificate of a specific client server to the client to facilitate the client to verify whether the server is legal.
However, there may be hundreds or thousands of client certificates on the hosting server. If the client does not give a hint, how does the hosting server know which certificate to choose and push it to the client?
SNI (Server Name Indication)
With the SNI field, it is easy to fill in the domain name of the target server, and then the hosting server can use the SNI field information as an index to query the digital certificate database and extract the corresponding certificate. The Server Hello message is pushed to the client with a "Certificate" message. The client successfully authenticates. Finally, the two parties negotiate a secure TLS encrypted tunnel, and the plaintext Http message can be thrown into the TLS tunnel.
Obviously, the SNI field is located in the TLS protocol header and is presented in plain text. The information filled in the SNI field is extracted by the client from the protocol header in http and assigned to SNI.
Is the private key of the target server's certificate stored on the hosting server?
For readers with solid theories, even if they have not deployed a managed service, they can know it by logical reasoning, and there is no need to resort to others.
In the key distribution stage, if RSA public key encryption "Pre-Master Secret" is used, the escrow server needs to use the private key to decrypt and obtain the plaintext "Pre-Master Secret", and must have the plaintext private key. During handshake connection, all parts that require private key signature also need private key.
In order to facilitate these tasks, the hosting server usually has the private key of the target server.
How does a hosting server exist?
Reverse proxy, that is, the proxy target server communicates with the client. This reverse proxy is proxying HTTPS secure communication.
The communication between the proxy server and the target server is also completed using HTTPS. At this time, the proxy server is the client, and the target server is the server.
Some readers may be puzzled to ask, since all the data of the proxy server comes from the target server, what kind of existence value does it have?
The proxy server caches all static pages that can be cached locally. As long as the static content has not expired, it can be returned directly to the client, which can greatly reduce the user's waiting time and reduce the harassment of the target server's repetitive content.
The above is the news sharing from the PASSHOT. I hope it can be inspired you. If you think today' s content is not too bad, you are welcome to share it with other friends. There are more latest Linux dumps, CCNA 200-301 dumps, CCNP Written dumps and CCIE Written dumps waiting for you.
Cisco Dumps Popular Search:
ccna routing and switching latest dumps ccna 200-301 image ccna 200 301 labs jeremy cioara ccna 200 301 new ccna topics 2020 juniper ccna pdf ccie data center blog ccnp tshoot 300-135 cbt nuggets r/ccna cisco ccna security exam
Copyright © 2024 PASSHOT All rights reserved.