mod_ssl: follow up to r1868645.

author Yann Ylavic <ylavic@apache.org>

Fri, 25 Oct 2019 13:26:14 +0000 (13:26 +0000)

committer Yann Ylavic <ylavic@apache.org>

Fri, 25 Oct 2019 13:26:14 +0000 (13:26 +0000)
author Yann Ylavic <ylavic@apache.org>
Fri, 25 Oct 2019 13:26:14 +0000 (13:26 +0000)
committer Yann Ylavic <ylavic@apache.org>
Fri, 25 Oct 2019 13:26:14 +0000 (13:26 +0000)
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c

index 023971b234fc36e9db6a55aca5077abdee03ada2..0d17ec69391b692f41e950d1c7ccf2bac9f7e44c 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2514,8 +2514,14 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
  #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
          && (!defined(LIBRESSL_VERSION_NUMBER) \
              || LIBRESSL_VERSION_NUMBER >= 0x20800000L)
-        SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx));
-        SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx));
+        /*
+         * Don't switch the protocol if none is configured for this vhost,
+         * the default in this case is still the base server's SSLProtocol.
+         */
+        if (myCtxConfig(sslcon, sc)->protocol_set) {
+            SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx));
+            SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx));
+        }
  #endif
          if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
              (SSL_num_renegotiations(ssl) == 0)) {
author	Yann Ylavic <ylavic@apache.org>
	Fri, 25 Oct 2019 13:26:14 +0000 (13:26 +0000)
committer	Yann Ylavic <ylavic@apache.org>
	Fri, 25 Oct 2019 13:26:14 +0000 (13:26 +0000)