> > What's the point of SNI if it can be used to select the correct vhost > before the handshake (modulo the port...), but TLS must possibly be > renegotiated later for subsequent requests? >
In configs that use separate certificates, it gets you the correct one, and these are n/a to the coalescing problem In configs that use the same certificate, I guess it gets you slightly different TLS parameters. If you use HTTP/2, you'll have to forego these and per-dir renegotiations. Maybe the latter should just be deprecated, it seems like they cause constant problems
