You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by ap...@thva.dk on 2015/05/06 14:54:00 UTC

[users@httpd] Weirdo intepretation of SSLprotocol order

hello,


So i have an apache 2.2.29 running Prefork on FreeBSD 64bit.

I have a number of vhosts included - one vhost per domain name. In any 
of these vhost containers the SSLProtocol directive seems to be ignored, 
but only the default vhost is dictating the SSLProtocol for all other 
(this is ofcourse the first HTTPS enabled vhost container, which might 
be relevant). Though documentation argues that its applicable per vhost, 
and not only in server config.

For testing purpose, i use add the following to my sub-vhost:
         SSLProtocol             -ALL +TLSv1.2

But when the default vhost is configured as such:
         SSLProtocol             -ALL +TLSv1 +TLSv1.1 +TLSv1.2

- that final example is the only, thats used throughout the webserver.


I read in http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol, 
that it should be applicable per virtual host.
The goal is to host some sites via TLS 1.2 only, and some other ones 
only in TLS 1.1 for instance.



Does anyone else meet the same challenge or know how to resolve this ?



br
congo



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Weirdo intepretation of SSLprotocol order

Posted by Yann Ylavic <yl...@gmail.com>.

On Mon, May 11, 2015 at 11:30 AM,  <ap...@thva.dk> wrote:
>
> Do you mean - building 2.2.29 from apache.org sources ?

Yes, at least for testing purpose.
This would help backporting the change from 2.4.x to 2.2.x.

Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Weirdo intepretation of SSLprotocol order

Posted by ap...@thva.dk.

Hello,

Well - a patched version... what do you mean -i've build 
apache22-2.2.29_2 from ports... so its already up to date. However 
openssl runtime is openssl-1.0.1_16, where i see there is a 
openssl-1.0.2_1 available from ports. I prefer to build from ports, in 
order to host a standardized environment for the web..

I have been looking into migration to apache httpd 2.4, but from my 
understanding the config interpretor is not backwards compatible, so i 
have to renew all configs. I run around 50 domains and 450 sites, and 
about 15 instances of apache httpd.. so there will be a bunch of config 
redoing..


Do you mean - building 2.2.29 from apache.org sources ?



br
congo

On 2015-05-07 11:13, Yann Ylavic wrote:
> Hello,
> 
> you may hit an issue fixed in [1] (for upcoming 2.4.13).
> 
> Can you manage to build a patched httpd-2.2.29 from sources?
> 
> Regards,
> Yann.
> 
> [1] http://svn.us.apache.org/r1663258
> 
> 
> On Wed, May 6, 2015 at 2:54 PM,  <ap...@thva.dk> wrote:
>> hello,
>> 
>> 
>> So i have an apache 2.2.29 running Prefork on FreeBSD 64bit.
>> 
>> I have a number of vhosts included - one vhost per domain name. In any 
>> of
>> these vhost containers the SSLProtocol directive seems to be ignored, 
>> but
>> only the default vhost is dictating the SSLProtocol for all other 
>> (this is
>> ofcourse the first HTTPS enabled vhost container, which might be 
>> relevant).
>> Though documentation argues that its applicable per vhost, and not 
>> only in
>> server config.
>> 
>> For testing purpose, i use add the following to my sub-vhost:
>>         SSLProtocol             -ALL +TLSv1.2
>> 
>> But when the default vhost is configured as such:
>>         SSLProtocol             -ALL +TLSv1 +TLSv1.1 +TLSv1.2
>> 
>> - that final example is the only, thats used throughout the webserver.
>> 
>> 
>> I read in 
>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol,
>> that it should be applicable per virtual host.
>> The goal is to host some sites via TLS 1.2 only, and some other ones 
>> only in
>> TLS 1.1 for instance.
>> 
>> 
>> 
>> Does anyone else meet the same challenge or know how to resolve this ?
>> 
>> 
>> 
>> br
>> congo
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Weirdo intepretation of SSLprotocol order

Posted by Yann Ylavic <yl...@gmail.com>.

Hello,

you may hit an issue fixed in [1] (for upcoming 2.4.13).

Can you manage to build a patched httpd-2.2.29 from sources?

Regards,
Yann.

[1] http://svn.us.apache.org/r1663258


On Wed, May 6, 2015 at 2:54 PM,  <ap...@thva.dk> wrote:
> hello,
>
>
> So i have an apache 2.2.29 running Prefork on FreeBSD 64bit.
>
> I have a number of vhosts included - one vhost per domain name. In any of
> these vhost containers the SSLProtocol directive seems to be ignored, but
> only the default vhost is dictating the SSLProtocol for all other (this is
> ofcourse the first HTTPS enabled vhost container, which might be relevant).
> Though documentation argues that its applicable per vhost, and not only in
> server config.
>
> For testing purpose, i use add the following to my sub-vhost:
>         SSLProtocol             -ALL +TLSv1.2
>
> But when the default vhost is configured as such:
>         SSLProtocol             -ALL +TLSv1 +TLSv1.1 +TLSv1.2
>
> - that final example is the only, thats used throughout the webserver.
>
>
> I read in http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol,
> that it should be applicable per virtual host.
> The goal is to host some sites via TLS 1.2 only, and some other ones only in
> TLS 1.1 for instance.
>
>
>
> Does anyone else meet the same challenge or know how to resolve this ?
>
>
>
> br
> congo
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org