On Fri, Oct 25, 2019 at 1:21 PM Eric Covener <[email protected]> wrote: > > > I am pretty conservative on these usually but I think opt-out would be OK. > > I am not even sure opt-out makes sense vs. just moving the directives > not expected to be used.
Yes, opt-out is possibly no better than adjusting the configuration. A oneliner may help though for complex/splitted configurations. > I guess some obscure config could reach the same VH over a non-SNI > alternate address AND different protocols are desired? Seems pretty > unlikely. I'm not sure I understand what you mean. Suppose a config like the below (untested, will do): <VirtualHost *:443> ServerName name1 SSLProtocol TLSv1.2 </VirtualHost> <VirtualHost *:443> ServerName name2 # no SSLProtocol </VirtualHost> I think that currently (2.4.x), name2 is de facto "TLSv1.2" (like its base server), but with r1868645 it's now "all -SSLv3" (the default for SSLProtocol). If an upgrade moves name2 from an A+++ to a B- it may well be the end of the world :p I will test that and confirm (or not).
