You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/11/22 09:43:12 UTC

[Bug 62939] SSLProtocol and TLSv1.3

https://bz.apache.org/bugzilla/show_bug.cgi?id=62939

--- Comment #1 from Stefan Eissing <st...@eissing.org> ---
AFAIK, the TLS protocol selection triggers before the Server Name Indication
(SNI) is available and can select your vhost.

This means that the protocol settings of the *first* vhost that you define for
the given port (here probably 443) will determine the base SSL capabilities,
such as protocols.

The server does not enforce the protocol version after the connection has been
made and the vhost selected, because this would break the negotiation after it
happened.

This is one of the quirks of mod_ssl and httpd's vhost selection, I'm afraid.

In your case, you basically have to decide which SSL protocol versions you want
on any address:port combination your server offers. If you can move your
special host to a separate IP, make that host the first one for that, the
protocol selection can be enforced.

Hoppe this helps.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org