https://issues.apache.org/bugzilla/show_bug.cgi?id=55707
Kaspar Brand <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Hardware|PC |All OS|Linux |All --- Comment #1 from Kaspar Brand <[email protected]> --- Confirmed. It's due to a current limitation in OpenSSL, actually - when we use SSL_set_SSL_CTX() in the SNI callback in ssl_engine_kernel.c, OpenSSL only switches the certificate, but not any of the other settings. I have filed https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3183 meanwhile, and on the mod_ssl side, we are basically stuck with fixing this in a sane way until it's addressed in OpenSSL. If you're compiling against OpenSSL before 1.0.0, you could apply this patch, in theory (but note that this fiddles with OpenSSL internals, and is not the way forward to fix the issue): --- ssl_engine_kernel.c (revision 1546692) +++ ssl_engine_kernel.c (working copy) @@ -2014,6 +2014,7 @@ static int ssl_find_vhost(void *servername, conn_r SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx), SSL_CTX_get_verify_callback(ctx)); } + SSL_set_ssl_method(ssl, ctx->method); /* * Adjust the session id context. ssl_init_ssl_connection() -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
