> Am 04.04.2018 um 20:23 schrieb William A Rowe Jr <wr...@rowe-clan.net>:
> 
> SSLProtocol TLSv1.2 TLSv1.3
> SSLProxyProtocol TLSv1.2 TLSv1.3
> 
> should be syntactically valid, no?

Not sure. Is

> SSLProtocol TLSv1.2 TLSv1.1

valid? On the road right now and cannot test. I agree
that it probably makes sense, but for backport compat
I tried to add TLSv1.3 in the same spirit as the other
protocols.

> 
> [Wed Apr 04 18:21:11.465896 2018] [ssl:warn] [pid 2228052:tid
> 140031042861312] AH02532: SSLProtocol: Protocol 'TLSv1.3' overrides
> already set parameter(s). Check if a +/- prefix is missing.
> [Wed Apr 04 18:21:11.465946 2018] [ssl:warn] [pid 2228052:tid
> 140031042861312] AH02532: SSLProxyProtocol: Protocol 'TLSv1.3'
> overrides already set parameter(s). Check if a +/- prefix is missing.
> 
> TLSv1.3 should begin 'unset' if TLSv1.2 is given without modifiers.
> 
> 
> On Wed, Mar 28, 2018 at 10:49 AM, Stefan Eissing
> <stefan.eiss...@greenbytes.de> wrote:
>> Just added TLSv1.3 support in trunk. No fancy new early data features, just 
>> the basic.
>> 
>> Open for discussion:
>> - The Mozilla server-side-tls people are still thinking of what they will 
>> recommend, see:
>>   
>> https://github.com/mozilla/server-side-tls/issues/191#issuecomment-376918933
>> - Turns out, cipher suites are separate from <= TLSv1.2. Since servers will 
>> co-host 1.2 and 1.3
>>   for some time, we need additional config directives, I think. Added 
>> "SSLCipherSuiteV1_3" and
>>   am ashamed of the name.
>> - The current handling of TLS versions that are not supported by the *SSL 
>> lib linked is not
>>   super helpful. It more or less pretends that the version does not exist 
>> (unknown protocol),
>>   but that is far from the truth. Shall we continue that or is this an 
>> opportunity to reconsider?
>> - Should we allow the configuration of TLSv1_3 ciphers, even if the linked 
>> SSL does not support
>>   it? This is different from SSLProtocol which of course needs to fail if it 
>> cannot enable the
>>   version that is explicitly configured.
>>   I think it is ok to take it into the config, even though it never 
>> activates.
>> 
>> Cheers,
>> 
>> Stefan
>> 
>> PS. If a FreeBSD libressl+apache maintainer is listening here, he may try if 
>> trunk compiles with it. I would not stop him.
>> 

Reply via email to