Right now, Undertow does not support TLS SNI, also it is not currently possible to provide it ourselves, since Undertow creates the SSLEngine itself, and does not provide any hooks for modifying it after creation.

The ideal solution would ofcourse be for Undertow to support SNI directly, similar to the way Jetty does it, by traversing al the certificates in the keystore. But we can almost do this ourselves from outside by modifying the keymanagers and the options on the created SSLEngine - unfortunately that SSLEngine seems to be created inside Undertow without possibilities for modifying the options (setUseCipherSuitesOrder / setSNIMatchers) on it.

If UndertowAcceptingSslChannel could either get an SSL engine injected from outside, or allow outside code to hook into it after creating it, we could add it ourselves.
See XNIO-227.