On Wed, Apr 11, 2018 at 01:37:22PM -0400, Eric Covener wrote:
> On Wed, Apr 11, 2018 at 1:07 PM, Yann Ylavic <ylavic....@gmail.com> wrote:
> > On Wed, Apr 11, 2018 at 7:03 PM, Joe Orton <jor...@redhat.com> wrote:
> >> Like this?  Is this likely to break some other currently-working config?
> >>
> >> Index: modules/ssl/ssl_engine_init.c
> >> ===================================================================
> >> --- modules/ssl/ssl_engine_init.c       (revision 1828914)
> >> +++ modules/ssl/ssl_engine_init.c       (working copy)
> >> @@ -261,7 +261,8 @@
> >>           * the protocol is https. */
> >>          if (ap_get_server_protocol(s)
> >>              && strcmp("https", ap_get_server_protocol(s)) == 0
> >> -            && sc->enabled == SSL_ENABLED_UNSET) {
> >> +            && sc->enabled == SSL_ENABLED_UNSET
> >> +            && (!apr_is_empty_array(sc->server->pks->cert_files))) {
> >>              sc->enabled = SSL_ENABLED_TRUE;
> >>          }
> >
> > So now your configuration would work because the second vhost wouldn't
> > have SSL enabled?
> > But doesn't the user want SSL on this vhost in the first place?
> 
> If they worked before, it seems like they were relying on a handshake
> with the default VH for the NVH -- which they still get?

Yes, exactly - and for affected configs the defining feature is the 
absence of SSL* in the second vhost.  The non-SSL config still takes 
effect as before.

This seems to work for the trivial test cases I have based off user 
reports, but I'm worried this is going to based some other case for 
which the implicit-on is still needed.

Is mod_md expected to work for vhosts without "SSLEngine on/optional" 
configured explicitly?  Didn't get a clear answer to this before.

Regards, Joe

Reply via email to