On Fri, Oct 25, 2019 at 9:56 AM Stefan Eissing <[email protected]> wrote: > > While I like this change and think, ideally, it would have behaved like this > all the time, I think we need to make this "opt-in" for 2.4.
So now the "how" and name bikeshedding :) SSLHonorVhostProtocol on/off (default: off) at the server config scope (only)? > > If I understand this correctly: if someone has some old > SSLProtocol/Cipher/etc. setting sitting in a vhost, *ineffective now since it > is not the first vhost*, this change would activate it. So it could expose a > site to a TLS setting that is not appropriate for it. One could argue that > the first mistake was for the admin to leave that setting there, but... > > - Stefan > > > Am 25.10.2019 um 09:46 schrieb Yann Ylavic <[email protected]>: > > > > On Sun, Oct 20, 2019 at 12:50 PM <[email protected]> wrote: > >> > >> Author: ylavic > >> Date: Sun Oct 20 10:50:33 2019 > >> New Revision: 1868645 > >> > >> URL: http://svn.apache.org/viewvc?rev=1868645&view=rev > >> Log: > >> mod_ssl: negotiate the TLS protocol version per name based vhost > >> configuration. > > > > I'm planning to propose this for backport to 2.4.x, but wonder if it > > should be opt in/out. > > > > I can see potential behaviour change for existing configurations if, > > for instance, one has specified some SSLProtocol at the base server > > level but none (relying on the current behaviour) or something > > different (somehow working unwittingly of his/her own free will) at > > the other name-based vhost(s) level. > > > > Thoughts? > > > > Regards, > > Yann. >
