On Wed, Apr 11, 2018 at 7:54 PM, Joe Orton <jor...@redhat.com> wrote: > On Wed, Apr 11, 2018 at 01:37:22PM -0400, Eric Covener wrote: >> On Wed, Apr 11, 2018 at 1:07 PM, Yann Ylavic <ylavic....@gmail.com> wrote: >> > On Wed, Apr 11, 2018 at 7:03 PM, Joe Orton <jor...@redhat.com> wrote: >> >> Like this? Is this likely to break some other currently-working config? >> >> >> >> Index: modules/ssl/ssl_engine_init.c >> >> =================================================================== >> >> --- modules/ssl/ssl_engine_init.c (revision 1828914) >> >> +++ modules/ssl/ssl_engine_init.c (working copy) >> >> @@ -261,7 +261,8 @@ >> >> * the protocol is https. */ >> >> if (ap_get_server_protocol(s) >> >> && strcmp("https", ap_get_server_protocol(s)) == 0 >> >> - && sc->enabled == SSL_ENABLED_UNSET) { >> >> + && sc->enabled == SSL_ENABLED_UNSET >> >> + && (!apr_is_empty_array(sc->server->pks->cert_files))) { >> >> sc->enabled = SSL_ENABLED_TRUE; >> >> } >> > >> > So now your configuration would work because the second vhost wouldn't >> > have SSL enabled? >> > But doesn't the user want SSL on this vhost in the first place? >> >> If they worked before, it seems like they were relying on a handshake >> with the default VH for the NVH -- which they still get? > > Yes, exactly - and for affected configs the defining feature is the > absence of SSL* in the second vhost. The non-SSL config still takes > effect as before.
Does it still work with SNI sent by the client (i.e. when negotiation should be based on the second NVH's SSL config)? > > This seems to work for the trivial test cases I have based off user > reports, but I'm worried this is going to based some other case for > which the implicit-on is still needed. Maybe the test could be based off the "base server" (read future c->base_server, or first of the NVH, not the base_server pointer in ssl_init_Module() which is really the main server) if we could determine that at ssl_init_Module() time? Something like (!apr_is_empty_array(sc->server->pks->cert_files) || "base server"->sc->enabled), but I don't see another example where "base server" is determined/needed at load time... > > Is mod_md expected to work for vhosts without "SSLEngine on/optional" > configured explicitly? Didn't get a clear answer to this before. Dunno, but wouldn't be worried to much is that were a new requirement for it to work explicitely. Regards, Yann.