diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 75129134..a41edeab 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1455,6 +1455,14 @@ ngx_ssl_handshake(ngx_connection_t *c)
 
     c->read->error = 1;
 
+#if (!defined SSL_R_CALLBACK_FAILED || !defined SSL_F_FINAL_SERVER_NAME)
+    if (sslerr == SSL_ERROR_SSL) {
+        ERR_peek_error();
+        ERR_clear_error();
+        return NGX_ERROR;
+    }
+#endif
+
     ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
 
     return NGX_ERROR;
@@ -1568,6 +1576,14 @@ ngx_ssl_try_early_data(ngx_connection_t *c)
 
     c->read->error = 1;
 
+#if (!defined SSL_R_CALLBACK_FAILED || !defined SSL_F_FINAL_SERVER_NAME)
+    if (sslerr == SSL_ERROR_SSL) {
+        ERR_peek_error();
+        ERR_clear_error();
+        return NGX_ERROR;
+    }
+#endif
+
     ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed");
 
     return NGX_ERROR;
@@ -2547,6 +2563,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
     char *text)
 {
     int         n;
+#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
+    int         f;
+#endif
     ngx_uint_t  level;
 
     level = NGX_LOG_CRIT;
@@ -2583,6 +2602,20 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
 
         n = ERR_GET_REASON(ERR_peek_error());
 
+        /* Strict SNI Error Patch
+         * https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319
+         */
+#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
+        if (n == SSL_R_CALLBACK_FAILED) {
+            f = ERR_GET_FUNC(ERR_peek_error());
+            if (f == SSL_F_FINAL_SERVER_NAME) {
+                ERR_peek_error();
+                ERR_clear_error();
+                return;
+            }
+        }
+#endif
+
             /* handshake failures */
         if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC                        /*  103 */
 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 7dd28b8c..5e5bbed1 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -849,7 +849,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
     servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
 
     if (servername == NULL) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
 
     c = ngx_ssl_get_connection(ssl_conn);
@@ -864,7 +864,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
     host.len = ngx_strlen(servername);
 
     if (host.len == 0) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
 
     host.data = (u_char *) servername;
@@ -879,7 +879,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
                                      NULL, &cscf)
         != NGX_OK)
     {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
 
     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));