Ok, let me summarize: - SSLProtocol on base server applies, unless vhost has its own setting - no SSLProtocol on base server, SSLProtocol on vhost applies - no SSLProtocol on base server, no SSLProtocol on vhost, possible SSLProtocol on base vhost applies
To me, this is an improvement over the current, obscure workings. Thanks for saving me having to come up with a name, Yann! - Stefan > Am 27.10.2019 um 13:22 schrieb Yann Ylavic <[email protected]>: > > On Fri, Oct 25, 2019 at 4:18 PM Yann Ylavic <[email protected]> wrote: >> >> The current status is that, without an opt-in/out, it takes the root >> value if configured, or the base server's otherwise. Not very >> intuitive... > > Thinking more about this, I think it's not so bad. If no SSLProtocol > is configured neither globally nor in the non-base NVH then we use the > SSLProtocol of the base VNH, otherwise we use the one configured > (either in the VNH or globally). It looks satisfactory to me for 2.4.x > finally, no opt-in/out. > > For trunk I think we should let the usual merging apply, that is, if > no SSLProtocol is defined in the VNH nor globally, use the default > value ("all -SSLv3"), the base vhost is irrelevent in any case. > > WDYT?
