HTTPS client - certificate

0
votes

I write raw HTTPS client in C - a program that takes domain name, resolves it to IP address (via DNS), connects to the IP address on port 443 (SSL), performs SSL handshake and then sends HTTP request via the SSL socket.

To try this program I have a domain hosted on a webserver. I installed Let's encrypt certificate for the domain.

I found out that there are many domain names sharing the same IP address as my domain. So when I connect to the IP address on port 443 to perform SSL handshake who ensures that mydomain's SSL certificate will be sent from the server to the client and not another certificate belonging to other domain name sharing the same IP address?

1
ssl
webmasters.stackexchange.com/questions/13988/… - jveazey

1 Answers

2
votes

There exists a TLS extension called Server Name Indication (SNI) which is widely used (and is e.g. require for http/2 clients). You can find the formal specification of this extension in RFC 6066.

Using SNI, a client can send a desired hostname in its Hello request which allows the server to select a matching key/certificate combination for this connection.