Networking in C · intermediate · ~12 min

TLS handshake bytes — where SNI lives

Find the hostname inside a TLS Server Name Indication extension.

Overview

Two big-endian length reads + a type check, then a bounded copy of the host bytes.

Why it matters

SNI is the one plaintext hostname in a TLS session — the field monitors and filters depend on.

Lesson

Why this matters

TLS encrypts everything — except the ClientHello, which is sent in the clear before keys exist. Inside it, the SNI extension carries the target hostname in plaintext. That's the field every passive TLS monitor, SNI-based filter, and traffic classifier reads.

What the SNI extension payload looks like

[server_name_list_len : 2]   big-endian
[name_type : 1]              0x00 = host_name
[name_len : 2]               big-endian
[host bytes ...]

All multi-byte lengths are big-endian (network byte order).

Your job

Implement int extract_sni(const uint8_t *ext, size_t n, char *out, size_t cap) that reads the list length, checks the type is 0x00, reads the host length, and copies the host into out — validating every length against n and the output against cap.

What this is NOT

A TLS client or a MITM — we only parse a captured extension payload.
A full ClientHello walker — that wraps this same field.

Summary

list_len, type==0, name_len, copy host. Big-endian; bounds-check against n and cap.

Practice with these exercises

Extract the SNI host from a TLS extension