Apache 2.4 SSL – Fix Connection Drop on Default SSL Host

I am running Apache 2.4 on Debian serving some SSL websites. My domain name und certificates contain my real name, so I don't want any random user typing in my IP address to get the certificate und my name.

My approach would be to create a default virtual host on port 443 to drop all connections using modsecurity, so you only get the certificate if you know the domain name. With SNI it should be possible – Apache determines the right virtual host before the TLS handshake, right?

It does not seem to work as expected, however. If I enable the default host, every TLS connection seems to get dropped and I get a SSL_ERROR_RX_RECORD_TOO_LONG error in the browser.

This is my configuration:

<VirtualHost *:443>
    ServerName defaultserverssl
    DocumentRoot /var/www/html
    SecRuleEngine On
    SecAction id:1,phase:1,nolog,drop
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName www1.example.com
    DocumentRoot /my/document/root

    SSLCertificateFile /path/to/myfullchain.pem
    SSLCertificateKeyFile /path/to/myprivkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName www2.example.com
    DocumentRoot /my/document/root

    SSLCertificateFile /path/to/myfullchain.pem
    SSLCertificateKeyFile /path/to/myprivkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

I already tried the SSLStrictSNIVHostCheck option to force SNI, both on server level and in the individual vhosts, with no different result.

It looks like SNI is not working, or am I wrong about the way SNI works and my approach is not possible?