diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 0ad514772..3546c3b83 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2451,11 +2451,10 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
 	trash.area[i] = 0;
 
 	HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock);
+	node = NULL;
 	/* lookup in full qualified names */
-	node = ebst_lookup(&s->sni_ctx, trash.area);
-
-	/* lookup a not neg filter */
-	for (n = node; n; n = ebmb_next_dup(n)) {
+	for (n = ebst_lookup(&s->sni_ctx, trash.area); n; n = ebmb_next_dup(n)) {
+		/* lookup a not neg filter */
 		if (!container_of(n, struct sni_ctx, name)->neg) {
 			node = n;
 			break;
@@ -2463,9 +2462,15 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
 	}
 	if (!node && wildp) {
 		/* lookup in wildcards names */
-		node = ebst_lookup(&s->sni_w_ctx, wildp);
+		for (n = ebst_lookup(&s->sni_w_ctx, wildp); n; n = ebmb_next_dup(n)) {
+			/* lookup a not neg filter */
+			if (!container_of(n, struct sni_ctx, name)->neg) {
+				node = n;
+				break;
+			}
+		}
 	}
-	if (!node || container_of(node, struct sni_ctx, name)->neg) {
+	if (!node) {
 #if (!defined SSL_NO_GENERATE_CERTIFICATES)
 		if (s->generate_certs && ssl_sock_generate_certificate(servername, s, ssl)) {
 			/* switch ctx done in ssl_sock_generate_certificate */