You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by ap...@thva.dk on 2015/05/06 14:54:00 UTC
[users@httpd] Weirdo intepretation of SSLprotocol order
hello,
So i have an apache 2.2.29 running Prefork on FreeBSD 64bit.
I have a number of vhosts included - one vhost per domain name. In any
of these vhost containers the SSLProtocol directive seems to be ignored,
but only the default vhost is dictating the SSLProtocol for all other
(this is ofcourse the first HTTPS enabled vhost container, which might
be relevant). Though documentation argues that its applicable per vhost,
and not only in server config.
For testing purpose, i use add the following to my sub-vhost:
SSLProtocol -ALL +TLSv1.2
But when the default vhost is configured as such:
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
- that final example is the only, thats used throughout the webserver.
I read in http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol,
that it should be applicable per virtual host.
The goal is to host some sites via TLS 1.2 only, and some other ones
only in TLS 1.1 for instance.
Does anyone else meet the same challenge or know how to resolve this ?
br
congo
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Weirdo intepretation of SSLprotocol order
Posted by Yann Ylavic <yl...@gmail.com>.
On Mon, May 11, 2015 at 11:30 AM, <ap...@thva.dk> wrote:
>
> Do you mean - building 2.2.29 from apache.org sources ?
Yes, at least for testing purpose.
This would help backporting the change from 2.4.x to 2.2.x.
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Weirdo intepretation of SSLprotocol order
Posted by ap...@thva.dk.
Hello,
Well - a patched version... what do you mean -i've build
apache22-2.2.29_2 from ports... so its already up to date. However
openssl runtime is openssl-1.0.1_16, where i see there is a
openssl-1.0.2_1 available from ports. I prefer to build from ports, in
order to host a standardized environment for the web..
I have been looking into migration to apache httpd 2.4, but from my
understanding the config interpretor is not backwards compatible, so i
have to renew all configs. I run around 50 domains and 450 sites, and
about 15 instances of apache httpd.. so there will be a bunch of config
redoing..
Do you mean - building 2.2.29 from apache.org sources ?
br
congo
On 2015-05-07 11:13, Yann Ylavic wrote:
> Hello,
>
> you may hit an issue fixed in [1] (for upcoming 2.4.13).
>
> Can you manage to build a patched httpd-2.2.29 from sources?
>
> Regards,
> Yann.
>
> [1] http://svn.us.apache.org/r1663258
>
>
> On Wed, May 6, 2015 at 2:54 PM, <ap...@thva.dk> wrote:
>> hello,
>>
>>
>> So i have an apache 2.2.29 running Prefork on FreeBSD 64bit.
>>
>> I have a number of vhosts included - one vhost per domain name. In any
>> of
>> these vhost containers the SSLProtocol directive seems to be ignored,
>> but
>> only the default vhost is dictating the SSLProtocol for all other
>> (this is
>> ofcourse the first HTTPS enabled vhost container, which might be
>> relevant).
>> Though documentation argues that its applicable per vhost, and not
>> only in
>> server config.
>>
>> For testing purpose, i use add the following to my sub-vhost:
>> SSLProtocol -ALL +TLSv1.2
>>
>> But when the default vhost is configured as such:
>> SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
>>
>> - that final example is the only, thats used throughout the webserver.
>>
>>
>> I read in
>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol,
>> that it should be applicable per virtual host.
>> The goal is to host some sites via TLS 1.2 only, and some other ones
>> only in
>> TLS 1.1 for instance.
>>
>>
>>
>> Does anyone else meet the same challenge or know how to resolve this ?
>>
>>
>>
>> br
>> congo
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Weirdo intepretation of SSLprotocol order
Posted by Yann Ylavic <yl...@gmail.com>.
Hello,
you may hit an issue fixed in [1] (for upcoming 2.4.13).
Can you manage to build a patched httpd-2.2.29 from sources?
Regards,
Yann.
[1] http://svn.us.apache.org/r1663258
On Wed, May 6, 2015 at 2:54 PM, <ap...@thva.dk> wrote:
> hello,
>
>
> So i have an apache 2.2.29 running Prefork on FreeBSD 64bit.
>
> I have a number of vhosts included - one vhost per domain name. In any of
> these vhost containers the SSLProtocol directive seems to be ignored, but
> only the default vhost is dictating the SSLProtocol for all other (this is
> ofcourse the first HTTPS enabled vhost container, which might be relevant).
> Though documentation argues that its applicable per vhost, and not only in
> server config.
>
> For testing purpose, i use add the following to my sub-vhost:
> SSLProtocol -ALL +TLSv1.2
>
> But when the default vhost is configured as such:
> SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
>
> - that final example is the only, thats used throughout the webserver.
>
>
> I read in http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol,
> that it should be applicable per virtual host.
> The goal is to host some sites via TLS 1.2 only, and some other ones only in
> TLS 1.1 for instance.
>
>
>
> Does anyone else meet the same challenge or know how to resolve this ?
>
>
>
> br
> congo
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org