On Wed, Apr 11, 2018 at 6:41 PM, Joe Orton <jor...@redhat.com> wrote:
> On Wed, Apr 11, 2018 at 05:49:47PM +0200, Yann Ylavic wrote:
>> I agree... to both Stefan's and your points of view here :p


> I feel like it should be possible to restore the old behaviour simply by
> disabling the implicit-SSLEngine-on in the cases where we'd never get a
> separate SSLSrvConfigRec before.
> e.g. could we suppress default-on if pks->cert_files is empty?  (plus
> some mod_md fudge factor??)

I'm not sure to understand how this'd help, there may still be
multiple vhosts with mod_md.
I'd like this approach if it works, but don't see the link for now.

As for my proposal, maybe the other way around then: for 2.4.x, we
could require that mod_md's LoadModule precedes mod_ssl's so that it
can reset ap_module_flags_umask before (ap_module_flags_umask would be
internal only, defaulting to -1).
Since mod_md is experimental, maybe we can afford this requirement...

Reply via email to