From: Yann Ylavic <ylavic@apache.org>
Date: Mon, 28 Oct 2019 14:58:19 +0000 (+0000)
Subject: mod_ssl: follow up to r1868645.
X-Git-Tag: 2.5.0-alpha2-ci-test-only~1837
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=794f293560321f0e438552283f03236312416131;p=thirdparty%2Fapache%2Fhttpd.git

mod_ssl: follow up to r1868645.

CHANGES entry and docs' note.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1869077 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index a3c749453bf..90335518849 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,12 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_ssl: negotiate the TLS protocol version per name based vhost
+     configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
+     SSLProtocol (from the first vhost declared on the IP:port) is now only
+     relevant if no SSLProtocol is declared for the vhost or globally,
+     otherwise the vhost or global value apply.  [Yann Ylavic]
+
   *) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies,
      leading to Request Timeout (408).  PR 63855.  [Yann Ylavic]
 
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index 9742efe773e..7290058b021 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -668,6 +668,31 @@ SSLProtocol TLSv1
 </highlight>
 </example>
 </usage>
+<note>
+<title><directive>SSLProtocol</directive> for name-based virtual hosts</title>
+<p>
+Before OpenSSL 1.1.1, even though the Server Name Indication (SNI) allowed to
+determine the targeted virtual host early in the TLS handshake, it was not
+possible to switch the TLS protocol version of the connection at this point,
+and thus the <directive>SSLProtocol</directive> negotiated was always based off
+the one of the <em>base virtual host</em> (first virtual host declared on the
+listening <code>IP:port</code> of the connection).
+</p>
+<p>
+Beginning with Apache HTTP server version 2.5.1, when built/linked against
+OpenSSL 1.1.1 or later, and when the SNI is provided by the client in the TLS
+handshake, the <directive>SSLProtocol</directive> of each (name-based) virtual
+host can and will be honored.
+</p>
+<p>
+For compatibility with previous versions, if no
+<directive>SSLProtocol</directive> is configured in a name-based virtual host,
+the one from the base virtual host still applies, <strong>unless</strong>
+<directive>SSLProtocol</directive> is configured globally in which case the
+global value applies (this latter exception is more sensible than compatible,
+though).
+</p>
+</note>
 </directivesynopsis>
 
 <directivesynopsis>