> Am 11.04.2018 um 22:24 schrieb Yann Ylavic <ylavic....@gmail.com>:
>
> On Wed, Apr 11, 2018 at 7:54 PM, Joe Orton <jor...@redhat.com> wrote:
>> On Wed, Apr 11, 2018 at 01:37:22PM -0400, Eric Covener wrote:
>>> On Wed, Apr 11, 2018 at 1:07 PM, Yann Ylavic <ylavic....@gmail.com> wrote:
>>>> On Wed, Apr 11, 2018 at 7:03 PM, Joe Orton <jor...@redhat.com> wrote:
>>>>> Like this? Is this likely to break some other currently-working config?
>>>>>
>>>>> Index: modules/ssl/ssl_engine_init.c
>>>>> ===================================================================
>>>>> --- modules/ssl/ssl_engine_init.c (revision 1828914)
>>>>> +++ modules/ssl/ssl_engine_init.c (working copy)
>>>>> @@ -261,7 +261,8 @@
>>>>> * the protocol is https. */
>>>>> if (ap_get_server_protocol(s)
>>>>> && strcmp("https", ap_get_server_protocol(s)) == 0
>>>>> - && sc->enabled == SSL_ENABLED_UNSET) {
>>>>> + && sc->enabled == SSL_ENABLED_UNSET
>>>>> + && (!apr_is_empty_array(sc->server->pks->cert_files))) {
>>>>> sc->enabled = SSL_ENABLED_TRUE;
>>>>> }
>>>>
>>>> So now your configuration would work because the second vhost wouldn't
>>>> have SSL enabled?
>>>> But doesn't the user want SSL on this vhost in the first place?
>>>
>>> If they worked before, it seems like they were relying on a handshake
>>> with the default VH for the NVH -- which they still get?
>>
>> Yes, exactly - and for affected configs the defining feature is the
>> absence of SSL* in the second vhost. The non-SSL config still takes
>> effect as before.
>
> Does it still work with SNI sent by the client (i.e. when negotiation
> should be based on the second NVH's SSL config)?
>
>>
>> This seems to work for the trivial test cases I have based off user
>> reports, but I'm worried this is going to based some other case for
>> which the implicit-on is still needed.
>
> Maybe the test could be based off the "base server" (read future
> c->base_server, or first of the NVH, not the base_server pointer in
> ssl_init_Module() which is really the main server) if we could
> determine that at ssl_init_Module() time? Something like
> (!apr_is_empty_array(sc->server->pks->cert_files) || "base
> server"->sc->enabled), but I don't see another example where "base
> server" is determined/needed at load time...
>
>>
>> Is mod_md expected to work for vhosts without "SSLEngine on/optional"
>> configured explicitly? Didn't get a clear answer to this before.
>
> Dunno, but wouldn't be worried to much is that were a new requirement
> for it to work explicitely.
I think mod_md will survive if mod_ssl switches off the new flag. mod_md
itself however uses it and needs the functionality.
Cheers, Stefan
