Hi. It's me again Per http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI it seems it's not needed to specify IP for SSL sites on SNI. Another useful feature could be to add in the default sites a "hosted sites" list, with links. Another idea could be to (optionally) have two ports listening for every SSL-enabled site: 443 and user-defined. This way a non-SNI-enabled client could access a SNI-requiring site after accessing the default-ssl one (could even support dynamic redirection based on supplied hostname). Hope these ideas help to make ISPConfig even better! BYtE, Diego.
SNI is not the same then normal ssl with mod_ssl. SNI is a new feature which is not supported by older browsers. So if you are in a company enviroment where you can force your users to use only specific browser versions, then sni is fine. But ist not a fuill replacement for internet use yet. This might change in a few years when no older internet explorer versions are in use anymore.
I know. But current doc is at least incomplete. If you use a fairly recent distro (even Debian Squeeze, that have not the most up-to-date packages... for good reasons), SSL sites w/ SNI work just like the non-SSL ones, so it's really possible to use both "IP-based SSL hosts" (specifying a different IP for every host that uses SSL), or "SNI-based vhosts" (just using * as IP), or a mix of the two as needed. All on a single server. It just misses "port-based SSL vhosts", that still requires manual editing of config files. Too bad browsers still don't use _https._tcp TXT DNS record It wouldn't have required SNI... PS: if someone knows a browser that can do SNI on XP, I'd like to know...
ISPConfig does not support sni based vhosts as they do not work in many browsers and Windows XP is still a frequently used operating system. So the doc is complete if it tells you that sni is not supported in ispconfig.