The approach of using a special default web application simply would not work.
You can't do that because said limited clients not just open a different page, but they fail completely.
Consider you have a "default" vhost which a non-SNI client will open just fine.
You also have an additional vhost which is supposed to be open by an SNI-supporting client.
Obviously, these two must have different hostnames (say, default.example.com
and www.example.com
), else Apache or nginx wouldn't know which site to show to which connecting client.
Now, if a non-SNI client tries to open https://www.example.com
, he'll be presented a certificate from default.example.com
, which would give him a certificate error. This is a major caveat.
A fix for this error is to make a SAN (multi-domain) certificate that would include both www.example.com
and default.example.com
. Then, if a non-SNI client tries to open https://www.example.com
, he'll be presented with a valid certificate, but even then his Host:
header would still point to www.example.com
, and his request will get routed not to default.example.com
but to www.example.com
.
As you can see, you either block non-SNI clients completely or forward them to an expected vhost. There's no sensible option for a default web application.