When using FTP with either explicit or implicit TLS, in the TLS ClientHello, WinSCP 5.7.17 on Windows 10 is not sending SNI (server name indication). I would like it to do so.
ProFTPD as of 1.3.7 (1.3.7rc3) supports SNI. The release notes say, "mod_tls now honors client-provided SNI as part of the TLS handshake, for implementing name-based virtual hosts via TLS SNI." http://www.proftpd.org/docs/RELEASE_NOTES-1.3.7a
Now that ProFTPD supports SNI and free certificates are trivially available via Let's Encrypt, it is feasible to configure named-based virtual hosts for FTP. A shared hosting server that supports example1.com, customer2.com, and site3.com can serve the three different certificates based on what the client sends as SNI. That way, each customer can configure their FTP client using their own site's domain. Traditionally, they would need to know the server name, which might be something.myhostingcompany.com. The SNI named-based configuration is more user-friendly. This is the same model used for HTTPS, so it's something that administrators are already familiar with.
Having SNI support in WinSCP would be really nice. Other clients already support SNI. lftp, the command line client on Linux, supports SNI. FileZilla supports SNI. (FileZilla doesn't do certificate validation at all; users always have to approve the certificate. That is less than ideal.)
The previous comment suggests that WinSCP supports SNI: https://winscp.net/forum/viewtopic.php?t=27515#96729
It suggests adding the hostname to the front of the username with a pipe as the separator. That doesn't seem to change anything regarding SNI. Even if it did, I would like to see the SNI support be automatic. WinSCP should automatically send the configured Site's "Host name" as the SNI.
Hopefully this is easy to implement. In theory, this should be one call from the application layer into the TLS library. I think WinSCP might use OpenSSL. If so, use SSL_set_tlsext_host_name(). The right place to add it might be InitSSLConnection() in source/filezilla/AsyncSslSocketLayer.cpp, in the "if (clientMode)" block around line 683.
If you need a server to test with, please get in touch: email@example.com