On Fri, Oct 25, 2019 at 4:09 AM Yann Ylavic <[email protected]> wrote: > > On Fri, Oct 25, 2019 at 9:56 AM Stefan Eissing > <[email protected]> wrote: > > > > If I understand this correctly: if someone has some old > > SSLProtocol/Cipher/etc. setting sitting in a vhost, *ineffective now since > > it is not the first vhost*, this change would activate it. > > Ciphers/etc work per vhost already thanks to the SNI callback, it's > only SSLProtocol that can't be changed from there due to OpenSSL > internals (AIUI), but still.. > > > So it could expose a site to a TLS setting that is not appropriate for it. > > One could argue that the first mistake was for the admin to leave that > > setting there, but... > > Yeah, my fear as well.
I am pretty conservative on these usually but I think opt-out would be OK. -- Eric Covener [email protected]
