On Wed, Apr 11, 2018 at 7:54 PM, Joe Orton <jor...@redhat.com> wrote:
> On Wed, Apr 11, 2018 at 01:37:22PM -0400, Eric Covener wrote:
>> On Wed, Apr 11, 2018 at 1:07 PM, Yann Ylavic <ylavic....@gmail.com> wrote:
>> > On Wed, Apr 11, 2018 at 7:03 PM, Joe Orton <jor...@redhat.com> wrote:
>> >> Like this? Is this likely to break some other currently-working config?
>> >>
>> >> Index: modules/ssl/ssl_engine_init.c
>> >> ===================================================================
>> >> --- modules/ssl/ssl_engine_init.c (revision 1828914)
>> >> +++ modules/ssl/ssl_engine_init.c (working copy)
>> >> @@ -261,7 +261,8 @@
>> >> * the protocol is https. */
>> >> if (ap_get_server_protocol(s)
>> >> && strcmp("https", ap_get_server_protocol(s)) == 0
>> >> - && sc->enabled == SSL_ENABLED_UNSET) {
>> >> + && sc->enabled == SSL_ENABLED_UNSET
>> >> + && (!apr_is_empty_array(sc->server->pks->cert_files))) {
>> >> sc->enabled = SSL_ENABLED_TRUE;
>> >> }
>> >
>> > So now your configuration would work because the second vhost wouldn't
>> > have SSL enabled?
>> > But doesn't the user want SSL on this vhost in the first place?
>>
>> If they worked before, it seems like they were relying on a handshake
>> with the default VH for the NVH -- which they still get?
>
> Yes, exactly - and for affected configs the defining feature is the
> absence of SSL* in the second vhost. The non-SSL config still takes
> effect as before.
Does it still work with SNI sent by the client (i.e. when negotiation
should be based on the second NVH's SSL config)?
>
> This seems to work for the trivial test cases I have based off user
> reports, but I'm worried this is going to based some other case for
> which the implicit-on is still needed.
Maybe the test could be based off the "base server" (read future
c->base_server, or first of the NVH, not the base_server pointer in
ssl_init_Module() which is really the main server) if we could
determine that at ssl_init_Module() time? Something like
(!apr_is_empty_array(sc->server->pks->cert_files) || "base
server"->sc->enabled), but I don't see another example where "base
server" is determined/needed at load time...
>
> Is mod_md expected to work for vhosts without "SSLEngine on/optional"
> configured explicitly? Didn't get a clear answer to this before.
Dunno, but wouldn't be worried to much is that were a new requirement
for it to work explicitely.
Regards,
Yann.
