Haproxy allows for verifying hosts without SNI, using the option verifyhost(www.google.com) on the server directive line.^1

Many, in fact probably most, websites using TLS on the internet do not require SNI, despite the popularity of some very large shared hosting companies.

Most sites (cf. URLs) posted to HN using TLS do not require SNI.

(A major browser will send SNI anyway, unencrypted clear text hostname over the wire, even when it is not necessary.)

(TLS 1.3 fixes the problem but it is only available for Cloudflare-hosted sites at the present time.)

Let's look at an illustration.

    example.com

    echo |openssl s_client -showcerts -connect 93.184.216.34:443 |openssl x509 -text -noout |less

DNS:example.com is there.

Cheers.

    www.amazon.com

No SNI sent. We are given a number of SANs to check against.

DNS:www.amazon.com is there.

Cheers.

     www.google.com

     echo |openssl s_client -showcerts -connect 172.217.17.68:443 |openssl x509 -text -noout |less

Fix your company. Everyone else can return a cert with a list of SANs.

1. Funny that one can verify www.haproxy.com using the default "verify required" but not www.haproxy.org. There is no SAN for www.haproxy.org at 51.15.8.218. The cert only lists some SANs for formilux.org