While I like this change and think, ideally, it would have behaved like this all the time, I think we need to make this "opt-in" for 2.4.
If I understand this correctly: if someone has some old SSLProtocol/Cipher/etc. setting sitting in a vhost, *ineffective now since it is not the first vhost*, this change would activate it. So it could expose a site to a TLS setting that is not appropriate for it. One could argue that the first mistake was for the admin to leave that setting there, but... - Stefan > Am 25.10.2019 um 09:46 schrieb Yann Ylavic <[email protected]>: > > On Sun, Oct 20, 2019 at 12:50 PM <[email protected]> wrote: >> >> Author: ylavic >> Date: Sun Oct 20 10:50:33 2019 >> New Revision: 1868645 >> >> URL: http://svn.apache.org/viewvc?rev=1868645&view=rev >> Log: >> mod_ssl: negotiate the TLS protocol version per name based vhost >> configuration. > > I'm planning to propose this for backport to 2.4.x, but wonder if it > should be opt in/out. > > I can see potential behaviour change for existing configurations if, > for instance, one has specified some SSLProtocol at the base server > level but none (relying on the current behaviour) or something > different (somehow working unwittingly of his/her own free will) at > the other name-based vhost(s) level. > > Thoughts? > > Regards, > Yann.
