Sni block

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

The sni block allows you to use multiple SSL/TLS certificates on the same server.


(For a more technical explanation, see SNI on Wikipedia)

On multi-server networks you may have a, and Users can connect to these servers via SSL/TLS but the name which they use to connect must match the certificate the server presents back to the user.

In other words: if you connect to and the server gives a certificate for then it will trigger a certificate warning.

Since many networks allow you to connect both by individual servername (eg: and by round robin name (eg: this poses the question: which name do you use in the certificate?

Previously there were three possible solutions:

  • You load a wildcard certificate for * on all your irc servers. Now your users can use both and
  • You load a multi-domain certificate which contains both and on your irc1 server. Now users can connect both through and
  • You load the certificate/key on all your irc servers, and simply tell users to always connect by /server and never by /server

Now there is another solution available, which is called SNI. You can load two (or more) certificates on the same server:

  • A certificate for ''
  • A certificate for '' (on irc1), a certificate for '' (on irc2), and so on...

The server will then decide which certificate to present to the client. This requires SNI support on the IRC client. Newer mIRC versions and other clients are SNI-capable.

Note that SNI isn't 'better' than wildcard or multi-domain certificates, it simply adds another option for you to use, if you wish.


First, you need a "default" certificate/key that will be used for clients that do not support SNI. Think of which certificate is used most often and take that as a default. You configure this via the set::ssl block.

In our example we will make the default SSL certificate to use:

set {
    ssl {
        certificate "ssl/irc_example_com.cert.pem";
        key "ssl/irc_example_com.cert.pem";

Now, you can add SNI blocks for the "other" host. In our example

sni {
    ssl-options {
        certificate "ssl/irc1_example_com.cert.pem";
        key "ssl/irc1_example_com.cert.pem";

There's no need to add an SNI block for as we already loaded it as the default certificate.