Hello Nikos, The openconnect client is gui v1.3, and as long as the certificate was confirmed, no more warning would be showed. Technically it's still a better idea to notify clearly users of potential man-in-the-middle attacks, once the certificate mismatched the domain/IP. Morever in my mind, some additional features are supposed to be helpful in future: to read the server list from profile.xml and language packages. As to AnyConnect, it seems Cisco has not yet implemented SNI feature at present. The current policy is to allow only one certificate for each interface. However SAN attribute is recommended to handle multiple domains as indicated on their forum. A little pity! Regards, Yick 2016-06-29 15:32 GMT+08:00 Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com>: > On Wed, Jun 29, 2016 at 12:10 AM, Yick Xie <yick.xie at gmail.com> wrote: >> Hello Nikos, >> >> As I tested the openconnect client can successfully tell them apart. > > That also means that in your platform the anyconnect client doesn't > set server name indication. You can verify that by capturing traffic > and verifying that the first handshake message contains the server > name indication TLS extension. > > regards, > Nikos