> Am 11.04.2018 um 22:24 schrieb Yann Ylavic <ylavic....@gmail.com>: > > On Wed, Apr 11, 2018 at 7:54 PM, Joe Orton <jor...@redhat.com> wrote: >> On Wed, Apr 11, 2018 at 01:37:22PM -0400, Eric Covener wrote: >>> On Wed, Apr 11, 2018 at 1:07 PM, Yann Ylavic <ylavic....@gmail.com> wrote: >>>> On Wed, Apr 11, 2018 at 7:03 PM, Joe Orton <jor...@redhat.com> wrote: >>>>> Like this? Is this likely to break some other currently-working config? >>>>> >>>>> Index: modules/ssl/ssl_engine_init.c >>>>> =================================================================== >>>>> --- modules/ssl/ssl_engine_init.c (revision 1828914) >>>>> +++ modules/ssl/ssl_engine_init.c (working copy) >>>>> @@ -261,7 +261,8 @@ >>>>> * the protocol is https. */ >>>>> if (ap_get_server_protocol(s) >>>>> && strcmp("https", ap_get_server_protocol(s)) == 0 >>>>> - && sc->enabled == SSL_ENABLED_UNSET) { >>>>> + && sc->enabled == SSL_ENABLED_UNSET >>>>> + && (!apr_is_empty_array(sc->server->pks->cert_files))) { >>>>> sc->enabled = SSL_ENABLED_TRUE; >>>>> } >>>> >>>> So now your configuration would work because the second vhost wouldn't >>>> have SSL enabled? >>>> But doesn't the user want SSL on this vhost in the first place? >>> >>> If they worked before, it seems like they were relying on a handshake >>> with the default VH for the NVH -- which they still get? >> >> Yes, exactly - and for affected configs the defining feature is the >> absence of SSL* in the second vhost. The non-SSL config still takes >> effect as before. > > Does it still work with SNI sent by the client (i.e. when negotiation > should be based on the second NVH's SSL config)? > >> >> This seems to work for the trivial test cases I have based off user >> reports, but I'm worried this is going to based some other case for >> which the implicit-on is still needed. > > Maybe the test could be based off the "base server" (read future > c->base_server, or first of the NVH, not the base_server pointer in > ssl_init_Module() which is really the main server) if we could > determine that at ssl_init_Module() time? Something like > (!apr_is_empty_array(sc->server->pks->cert_files) || "base > server"->sc->enabled), but I don't see another example where "base > server" is determined/needed at load time... > >> >> Is mod_md expected to work for vhosts without "SSLEngine on/optional" >> configured explicitly? Didn't get a clear answer to this before. > > Dunno, but wouldn't be worried to much is that were a new requirement > for it to work explicitely.
I think mod_md will survive if mod_ssl switches off the new flag. mod_md itself however uses it and needs the functionality. Cheers, Stefan