On Fri, Oct 25, 2019 at 7:42 PM Alex Hautequest <[email protected]> wrote: > > IMHO, it *is* intuitive. If you want no default configuration, do not set one > by default, otherwise inheritance applies - just as everything else in this > daemon.
Possibly the inheritance we are talking about here is not the one you are thinking of, not the usual one in httpd at least. In current httpd 2.4, the SSLProtocol which applies for name-based vhosts is the one of the base vhost (the first vhost declared on the IP:port), because until OpenSSL-1.1.1 there was no way to change the protocol of a TLS connection, and httpd needs a TLS connection first to start the handshake, and OpenSSL wants a protocol to create the connection, chicken and egg... So the SSLProtocol used to create the TLS connection is the one based on the IP:port the connection is accepted on, i.e. the base vhost's. Now we can and want to be able to configure/honor SSLProtocol per vhost, but the de facto default is the base vhost for SSLProtocol, not the global/root server where directives usually inherit from. Suppose a configuration like this: # global SSLProtocol TLSv1.3 # base vhost <VirtualHost *:443> ServerName name1 SSLProtocol TLSv1.2 </VirtualHost> # non-base vhost <VirtualHost *:443> ServerName name2 # no SSLProtocol </VirtualHost> Which SSLProtocol name2 should apply? For compatibility with 2.4, that's TLSv1.2, your/one's intuition? If unintuitve, we need some option to address both 2.4 compatibility (with some default there) and intuition/POLS (with another default for next versions). Regards, Yann.
