Server Name Indication (SNI) is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.

This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate.

Actually it is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS.

The hostname is included in the initial SSL handshake to support servers which have multiple host names (with different certificates) on the same IP address (SNI: Server Name Indication).

This is similar to the Host-header in plain HTTP requests. The name is included in the first message from the client (ClientHello), that is before any identification and key exchange is done, so that the server can offer the correct certificate for identification.

Therefore, with clients and servers that implement SNI, a server with a single IP address can serve a group of domain names for which it is impractical to get a common certificate.

For an application program to implement SNI, the TLS library it uses must implement it and the application must pass the hostname to the TLS library.

Further complicating matters, the TLS library may either be included in the application program or be a component of the underlying operating system.

HTTP has a “Host” header which allows a cost-cutting Internet hosting companies to pile hundreds of websites onto a single IP address. SSL has traditionally required a different IP for each site, but this extension allows the server to respond with the appropriate certificate that the browser is looking for.

Dealing with misconfigured sites

For Oracle, it is ok to throw an SSLException; it is posible to disable SNI but the problem is that this is global (it is disabled then for next and all requests) and we had faced other problem:

Some sites REQUIRE SNI to work and don’t work without client-SNI enabled (client should send a hostname in ClientHello!) (mostly this happens on Apache sites with SSLStrictSNIVHostCheck=on)

This site works only in browsers with SNI support.

Java7 is SNI enabled by default, but the problem is that some sites have problems with SNI enabled (this is not correct,a site should require SNI or be SNI-agnostic)

But the System.setProperty( "jsse.enableSNIExtension", "true/false" ); is global so in this cases best option is to retry the connection using alternatively SNI or not this is, just disable SNI (or enable) when retry from an SSLHandshakeException

A good explanation is here: SNI problems in Java