Sure thing! Wine usually disinhibits discussions :)
On Fri, Oct 25, 2019 at 11:45 AM Stefan Eissing <[email protected]> wrote: > > Can we wait with the naming discussion after I opened my Friday evening Wine > bottle? > > > Am 25.10.2019 um 10:16 schrieb Yann Ylavic <[email protected]>: > > > > On Fri, Oct 25, 2019 at 9:56 AM Stefan Eissing > > <[email protected]> wrote: > >> > >> While I like this change and think, ideally, it would have behaved like > >> this all the time, I think we need to make this "opt-in" for 2.4. > > > > So now the "how" and name bikeshedding :) > > > > SSLHonorVhostProtocol on/off (default: off) at the server config scope > > (only)? > >> > >> If I understand this correctly: if someone has some old > >> SSLProtocol/Cipher/etc. setting sitting in a vhost, *ineffective now since > >> it is not the first vhost*, this change would activate it. So it could > >> expose a site to a TLS setting that is not appropriate for it. One could > >> argue that the first mistake was for the admin to leave that setting > >> there, but... > >> > >> - Stefan > >> > >>> Am 25.10.2019 um 09:46 schrieb Yann Ylavic <[email protected]>: > >>> > >>> On Sun, Oct 20, 2019 at 12:50 PM <[email protected]> wrote: > >>>> > >>>> Author: ylavic > >>>> Date: Sun Oct 20 10:50:33 2019 > >>>> New Revision: 1868645 > >>>> > >>>> URL: http://svn.apache.org/viewvc?rev=1868645&view=rev > >>>> Log: > >>>> mod_ssl: negotiate the TLS protocol version per name based vhost > >>>> configuration. > >>> > >>> I'm planning to propose this for backport to 2.4.x, but wonder if it > >>> should be opt in/out. > >>> > >>> I can see potential behaviour change for existing configurations if, > >>> for instance, one has specified some SSLProtocol at the base server > >>> level but none (relying on the current behaviour) or something > >>> different (somehow working unwittingly of his/her own free will) at > >>> the other name-based vhost(s) level. > >>> > >>> Thoughts? > >>> > >>> Regards, > >>> Yann. > >> >
