On Fri, Oct 25, 2019 at 7:59 AM Yann Ylavic <[email protected]> wrote: > > On Fri, Oct 25, 2019 at 1:21 PM Eric Covener <[email protected]> wrote: > > > > > I am pretty conservative on these usually but I think opt-out would be OK. > > > > I am not even sure opt-out makes sense vs. just moving the directives > > not expected to be used. > > Yes, opt-out is possibly no better than adjusting the configuration. > A oneliner may help though for complex/splitted configurations. > > > I guess some obscure config could reach the same VH over a non-SNI > > alternate address AND different protocols are desired? Seems pretty > > unlikely. > > I'm not sure I understand what you mean.
I only meant where some actual opt-out would be useful vs. config fix. > > Suppose a config like the below (untested, will do): > > <VirtualHost *:443> > ServerName name1 > SSLProtocol TLSv1.2 > </VirtualHost> > > <VirtualHost *:443> > ServerName name2 > # no SSLProtocol > </VirtualHost> > > I think that currently (2.4.x), name2 is de facto "TLSv1.2" (like its > base server), but with r1868645 it's now "all -SSLv3" (the default for > SSLProtocol). > If an upgrade moves name2 from an A+++ to a B- it may well be the end > of the world :p > > I will test that and confirm (or not). Could the callback behave differently in the omitted case (opt-in)? That would allow the case where it's explicit to be handled better OOTB (not even opt-out really) -- Eric Covener [email protected]
