I'm curious, in addition to a lack of compatibility with Windows XP and early versions of certain browsers, is there any other reason that one wouldn't want to use SNI?
theres the (lack of) security when the client advertises the expected cert cn outside of the secure session. bu the real reason is simply client support. last i looked about 50% of requests looked like they came from clients that didnt support sni. suppose a ridiculously optimistic estimate of 90% support. is it acceptable for 10% of your clients to have security warnings when visiting your site? that's an unacceptable customer experience, personally.
I'd be curious to know what the actual numbers are...IE 7 even supports SNI, as long as it is running on Vista+. I've seen stats that say XP usage is near 15% now, and some portion of that must include non-IE browsers, so perhaps 10% might be an accurate estimate? When you "last looked", where did you find that 50% stat?
With regards to the security hole, do you mean to say that having the domain name sent in the clear before the secure session is established is the problem? Other than some narrow privacy concerns, I can't see the real issue here, given that most of the time a certain IP address implies a certain domain name, and the destination IP address needs to be sent in the clear.