As suggested in the wiki, did you set below during your tests. Let us know your findings.
# Listen for virtual host requests on all IP addresses NameVirtualHost *:443 # Go ahead and accept connections for these vhosts # from non-SNI clients SSLStrictSNIVHostCheck off Thanks, Anil > On Oct 17, 2019, at 9:50 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > >> On Thu, Oct 17, 2019 at 2:06 AM Marian Ion <m....@oodrive.com> wrote: > >> >> Yes, that's why I set "SSLStrictSNIVHostCheck On" -> according to the >> documentation "If set to on in the default name-based virtual host, >> clients that are SNI unaware will not be allowed to access any virtual >> host". >> I set it in the default virtual host and in my "second.server" (that is >> supposed to be TLS 1.3 only) but it didn't change the behaviour (i.e. >> second.server still accepts TLS 1.2 requests...) > > TLS revision describes the handshake protocol. Either the listener accepts > TLS 1.2 handshakes, or it does not, it won't look at SNI until the handshake > is in flight with the respective TLS handshake. > > This points out the possibility of multi-homing the box with one IP which > accepts TLS 1.2+ and a different IP listening with TLS 1.3 only. > >