I know I would need a wildcard ssl yet...every application of SNI I have found uses different TLD, and never only different subdomains...anyway I have control over all the clients. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,239732,239764#msg-239764