You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2019/10/28 14:58:19 UTC
svn commit: r1869077 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_ssl.xml
Author: ylavic
Date: Mon Oct 28 14:58:19 2019
New Revision: 1869077
URL: http://svn.apache.org/viewvc?rev=1869077&view=rev
Log:
mod_ssl: follow up to r1868645.
CHANGES entry and docs' note.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1869077&r1=1869076&r2=1869077&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Oct 28 14:58:19 2019
@@ -1,6 +1,12 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_ssl: negotiate the TLS protocol version per name based vhost
+ configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
+ SSLProtocol (from the first vhost declared on the IP:port) is now only
+ relevant if no SSLProtocol is declared for the vhost or globally,
+ otherwise the vhost or global value apply. [Yann Ylavic]
+
*) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies,
leading to Request Timeout (408). PR 63855. [Yann Ylavic]
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1869077&r1=1869076&r2=1869077&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Mon Oct 28 14:58:19 2019
@@ -668,6 +668,31 @@ SSLProtocol TLSv1
</highlight>
</example>
</usage>
+<note>
+<title><directive>SSLProtocol</directive> for name-based virtual hosts</title>
+<p>
+Before OpenSSL 1.1.1, even though the Server Name Indication (SNI) allowed to
+determine the targeted virtual host early in the TLS handshake, it was not
+possible to switch the TLS protocol version of the connection at this point,
+and thus the <directive>SSLProtocol</directive> negotiated was always based off
+the one of the <em>base virtual host</em> (first virtual host declared on the
+listening <code>IP:port</code> of the connection).
+</p>
+<p>
+Beginning with Apache HTTP server version 2.5.1, when built/linked against
+OpenSSL 1.1.1 or later, and when the SNI is provided by the client in the TLS
+handshake, the <directive>SSLProtocol</directive> of each (name-based) virtual
+host can and will be honored.
+</p>
+<p>
+For compatibility with previous versions, if no
+<directive>SSLProtocol</directive> is configured in a name-based virtual host,
+the one from the base virtual host still applies, <strong>unless</strong>
+<directive>SSLProtocol</directive> is configured globally in which case the
+global value applies (this latter exception is more sensible than compatible,
+though).
+</p>
+</note>
</directivesynopsis>
<directivesynopsis>