Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)


Topic review


Re: SNI Not Supported

Thanks for your post.

This issue has been added to the tracker:

I'm sending you an email with a development version of WinSCP to the address you have used to register on this forum.

SNI Not Supported

When using FTP with either explicit or implicit TLS, in the TLS ClientHello, WinSCP 5.7.17 on Windows 10 is not sending SNI (server name indication). I would like it to do so.

ProFTPD as of 1.3.7 (1.3.7rc3) supports SNI. The release notes say, "mod_tls now honors client-provided SNI as part of the TLS handshake, for implementing name-based virtual hosts via TLS SNI."

Now that ProFTPD supports SNI and free certificates are trivially available via Let's Encrypt, it is feasible to configure named-based virtual hosts for FTP. A shared hosting server that supports,, and can serve the three different certificates based on what the client sends as SNI. That way, each customer can configure their FTP client using their own site's domain. Traditionally, they would need to know the server name, which might be The SNI named-based configuration is more user-friendly. This is the same model used for HTTPS, so it's something that administrators are already familiar with.

Having SNI support in WinSCP would be really nice. Other clients already support SNI. lftp, the command line client on Linux, supports SNI. FileZilla supports SNI. (FileZilla doesn't do certificate validation at all; users always have to approve the certificate. That is less than ideal.)

The previous comment suggests that WinSCP supports SNI: It suggests adding the hostname to the front of the username with a pipe as the separator. That doesn't seem to change anything regarding SNI. Even if it did, I would like to see the SNI support be automatic. WinSCP should automatically send the configured Site's "Host name" as the SNI.

Hopefully this is easy to implement. In theory, this should be one call from the application layer into the TLS library. I think WinSCP might use OpenSSL. If so, use SSL_set_tlsext_host_name(). The right place to add it might be InitSSLConnection() in source/filezilla/AsyncSslSocketLayer.cpp, in the "if (clientMode)" block around line 683.

If you need a server to test with, please get in touch:


An update for an old thread:
WinSCP *does* currently support SNI, as of the creation of this reply. Use the following items (which might need to be tweaked, based on the webserver you are using, the port, etc). The following should work with sites created with IIS 10 requiring TLS.

File protocol: FTP
Encryption: Explicit (appropriate for using Port 21 ---- might need to be adjusted if using 990)
Host name: (replace with the appropriate SNI for your site)
User name:|login_username (see note below if you are using the command-line)

If you can log in using the GUI, simply go to Session -> Generate Session URL/code, and choose PowerShell from the dropdown. This will perform the necessary character-escaping for you. Some examples of characters that need escaping: the pipe-character (from the Username), double-quotes (by using the "tic" mark (`), most "special characters".

Re: Support SNI

WinSCP does not support SNI atm.
It should not be a problem to add it, though.
Do you have a server, where we can test it?

Support SNI

Just looking to get confirmation that Winscp supports SNI. Can't find any reference within the documentation provided