That is why mod_h2 allowe "H2Engine on|off" on base server and vhosts. If I understand you correctly, this does what you ask for.
//Stefan > Am 03.06.2015 um 19:45 schrieb William A Rowe Jr <[email protected]>: > >> On Wed, Jun 3, 2015 at 8:43 AM, Stefan Eissing >> <[email protected]> wrote: >> Hmm, personally, I do not like redundant configurations. If someone >> configures a module, like mod_h2, to be enabled (H2Engine on), she could >> expect the module to take all the necessary steps. So I am no fan of a >> „SSLAlpnEnable“. > > The reason boils down to vhosts and interop. If someone does not wish > for a specific vhost (perhaps interacting with bad clients, or created for > backwards compatibility) to respond with a feature, it is useful to have > a fine-grained toggle. The default -could- be 'enabled', although this > probably should not happen on the stable/maintenance branches, but > simply on the future release branch, to avoid surprises. > > OpenSSL does the wrong thing in some cases with respect to TLS/SNI > and my current patch development - in some respect - is backing out > that callback change for customers who have been burned by this > specific nonsense. You should reconsider absolutist behaviors, > because they make it much harder for people to inject 'experimental' > behaviors into specific hosts. > >
