You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/11/22 09:09:59 UTC

[Bug 62939] New: SSLProtocol and TLSv1.3

https://bz.apache.org/bugzilla/show_bug.cgi?id=62939

            Bug ID: 62939
           Summary: SSLProtocol and TLSv1.3
           Product: Apache httpd-2
           Version: 2.4.37
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: JBlond@gmail.com
  Target Milestone: ---

My global settings I have 

SSLProtocol -all +TLSv1.2 +TLSv1.3

In one vhost I want only TLS 1.3. So in that vhost I added 

SSLProtocol -all +TLSv1.3 

However that setting does not work. On that vhost even a client that can not do
TLSv1.3 can connect.

Apache: 2.4.37
OpenSSL: 1.1.1a
nghttp2: 1.32.0

Tried with winnt mpm and event mpm

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62939] SSLProtocol and TLSv1.3

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62939

Yann Ylavic <yl...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|PatchAvailable              |FixedInTrunk

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62939] SSLProtocol and TLSv1.3

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62939

Mario <JB...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |PatchAvailable

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62939] SSLProtocol and TLSv1.3

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62939

--- Comment #1 from Stefan Eissing <st...@eissing.org> ---
AFAIK, the TLS protocol selection triggers before the Server Name Indication
(SNI) is available and can select your vhost.

This means that the protocol settings of the *first* vhost that you define for
the given port (here probably 443) will determine the base SSL capabilities,
such as protocols.

The server does not enforce the protocol version after the connection has been
made and the vhost selected, because this would break the negotiation after it
happened.

This is one of the quirks of mod_ssl and httpd's vhost selection, I'm afraid.

In your case, you basically have to decide which SSL protocol versions you want
on any address:port combination your server offers. If you can move your
special host to a separate IP, make that host the first one for that, the
protocol selection can be enforced.

Hoppe this helps.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62939] SSLProtocol and TLSv1.3

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62939

Mario <JB...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |JBlond@gmail.com

--- Comment #2 from Mario <JB...@gmail.com> ---
Created attachment 36857
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36857&action=edit
ssl callback Hello Client patch from Yann Ylavic

This patch allows each vhost to run with its own SSLProtocol

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62939] SSLProtocol and TLSv1.3

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62939

Michael Kaufmann <ap...@michael-kaufmann.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |DUPLICATE
             Status|NEW                         |RESOLVED

--- Comment #3 from Michael Kaufmann <ap...@michael-kaufmann.ch> ---


*** This bug has been marked as a duplicate of bug 55707 ***

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org