Major Description
I'm not 100% certain how this interoperates with all the various SSL and TLS versions, but, we might want to consider adding an option to refuse non-SNI handshakes completely.
The rationale is this:
If we have multiple sites, as configured in ssl_multicert.config, but the box does not have unique IPs for each such cert, then the current behavior is undesirable (maybe even insecure?). E.g. the setup would be
dest_ip=* ssl_cert_name=cert1.crt ssl_key_name=key1.key dest_ip=* ssl_cert_name=cert2.crt ssl_key_name=key2.key dest_ip=* ssl_cert_name=cert3.crt ssl_key_name=key2.key
In the case of a non-SNI connection, the first certificate will now always be presented. This is likely not to be "secure", in that browser will either reject or give nasty errors / warnings about the wrong CN in the certificate.
In this case, having an option to say "refuse non-SNI handshakes" might be more desirable.