On Wed, Apr 11, 2018 at 01:37:22PM -0400, Eric Covener wrote: > On Wed, Apr 11, 2018 at 1:07 PM, Yann Ylavic <[email protected]> wrote: > > On Wed, Apr 11, 2018 at 7:03 PM, Joe Orton <[email protected]> wrote: > >> Like this? Is this likely to break some other currently-working config? > >> > >> Index: modules/ssl/ssl_engine_init.c > >> =================================================================== > >> --- modules/ssl/ssl_engine_init.c (revision 1828914) > >> +++ modules/ssl/ssl_engine_init.c (working copy) > >> @@ -261,7 +261,8 @@ > >> * the protocol is https. */ > >> if (ap_get_server_protocol(s) > >> && strcmp("https", ap_get_server_protocol(s)) == 0 > >> - && sc->enabled == SSL_ENABLED_UNSET) { > >> + && sc->enabled == SSL_ENABLED_UNSET > >> + && (!apr_is_empty_array(sc->server->pks->cert_files))) { > >> sc->enabled = SSL_ENABLED_TRUE; > >> } > > > > So now your configuration would work because the second vhost wouldn't > > have SSL enabled? > > But doesn't the user want SSL on this vhost in the first place? > > If they worked before, it seems like they were relying on a handshake > with the default VH for the NVH -- which they still get?
Yes, exactly - and for affected configs the defining feature is the absence of SSL* in the second vhost. The non-SSL config still takes effect as before. This seems to work for the trivial test cases I have based off user reports, but I'm worried this is going to based some other case for which the implicit-on is still needed. Is mod_md expected to work for vhosts without "SSLEngine on/optional" configured explicitly? Didn't get a clear answer to this before. Regards, Joe
