https://issues.apache.org/bugzilla/show_bug.cgi?id=55707
Bug ID: 55707
Summary: SSLProtocol directive seem to be ignored over
different virtualhosts on the same ip+port
Product: Apache httpd-2
Version: 2.4.6
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
I have more than one virtualhosts configured over the same IP address and port.
The first one has these directives (uses RSA):
SSLProtocol TLSv1.2 +TLSv1.1 +TLSv1
SSLCipherSuite
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA
The second one only these (uses EC):
SSLProtocol TLSv1.2
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA
SSLStrictSNIVHostCheck on
Non-SNI clients get 403 properly. But if a client supports SNI, and negotiates
with TLSv1.1 or TLSv1, the request will be accepted and the page served. With
an SNI client, the SSLCipherSuite list will get used properly, but the
SSLProtocol directive is totally ignored. From the ClientHello the
SNI-capability can be detected, so does the used protocol version. TLS
negotiation should be denied the same way if there is no common protocol
version as it would without common ciphers.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
