Hi Stefan, as i've tried todo nearly the same some weeks ago i can tell you what i did.
Comment inline. Am 24.05.2018 um 13:34 schrieb Stefan Eissing: > So, we are lacking an option here to abort SSL connections without a vhost > match, it seems. Something like > > SSLStrictSNIVHostCheck require-match No this will not solve the problem as you may have clients not supporting sni at all. I tried the same with SSLStrictSNIVHostCheck On Nowadays those clients see the wrong cert but still land in the correct vhost container so they "work". What i did is creating a vhost container which is loaded first in config order: 1.) Create a fake or general SSL cert (something like a white label cert) 2.) create the container: <VirtualHost $IP:443> # Because this virtual host is defined first, it will # be used as the default if the hostname is not received # in the SSL handshake ServerName unknown DocumentRoot /usr/local/apache/htdocs/ Protocols h2 http/1.1 SSLCertificateFile ... SSLCertificateKeyFile ... SSLCertificateChainFile ... SSLEngine on ErrorLog /usr/local/apache/logs/htdocs-error.log TransferLog /usr/local/apache/logs/htdocs-access.log # Rewrite to correct hostname using http - vhost container does not have https RewriteEngine On RewriteRule (.*) http://%{HTTP_HOST}/$1 [R=301,L] </VirtualHost> Greets, Stefan