https://bz.apache.org/bugzilla/show_bug.cgi?id=55707
--- Comment #24 from hasso.tep...@gmail.com --- There are a legit reasons why users would want to allow/disable TLS versions per virthost. I'm working for a hosting provider and I see all kind of crazy requirements – main reasons are . Some users want to disable TLS1.0 only (mainly PCI reasons), but ceratinly keep TLS1.1. Some users want to disable TLSv1.0 and TLSv1.1. Some users want to disable TLSv1.3 on top of other requirenments – missing support for Post-Handsahke Authentication in browsers seems to be a popular reason. ETC. In short – it would be quite a task to make configure IP for every possible TLS combination and move virthosts (and DNS etc) accordingly. The patch from Mike Haller works mostly and is OK with all restrictions (ie you can't enable protocols which are disabled by default in virthosts etc). But it doesn't work for TLSv1.3 any more and supporting it isn't trivial either AFAICS. What I'd like is to make this configuration work: <vhost default> SSLProtocol all -SSLv3 </vhost default> <vhost A> SSLProtocol all -SSLv3 -TLSv1.1 </vhost A> <vhost B> SSLProtocol all -SSLv3 -TLSV1.3 </vhost B> If I'd extend the patch with support for TLS 1.3, vhost B would be just unaccessible for all clients supporting TLS 1.3. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
