diff options
author | Yann Ylavic <ylavic@apache.org> | 2024-10-16 16:11:41 +0200 |
---|---|---|
committer | Yann Ylavic <ylavic@apache.org> | 2024-10-16 16:11:41 +0200 |
commit | 543a0be8808ebfbb737e3e002016298e13440a64 (patch) | |
tree | 47ad5f0ec20cadc94ef6cd025b1bd3fdaca83118 | |
parent | Revert r1921336. (diff) | |
download | apache2-543a0be8808ebfbb737e3e002016298e13440a64.tar.xz apache2-543a0be8808ebfbb737e3e002016298e13440a64.zip |
mod_ssl: Revert r1868929 on trunk (only).
We discussed in 2019 that after 2.4.x's backport r1873907 we should apply
normal/usual merging for SSLProtocol in next versions (thus trunk first).
See: https://lists.apache.org/thread/76yh7j3fwj2tsmffsqcqpv4mcfph5vqx
Make this happen finally.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921360 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | modules/ssl/ssl_engine_kernel.c | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index ac03b2ef7f..134fb17afb 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -2612,14 +2612,13 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) #if OPENSSL_VERSION_NUMBER >= 0x1010007fL \ && (!defined(LIBRESSL_VERSION_NUMBER) \ || LIBRESSL_VERSION_NUMBER >= 0x20800000L) - /* - * Don't switch the protocol if none is configured for this vhost, - * the default in this case is still the base server's SSLProtocol. - */ - if (myConnCtxConfig(c, sc)->protocol_set) { - SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx)); - SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx)); - } + /* Switch to the vhost's protocols. Note that 2.4 used to do this + * only if SSLProtocol was configured/inherited for this vhost, using + * the base server's SSLProtocol otherwise. From 2.5 usual merging + * applies. + */ + SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx)); + SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx)); #endif if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) || (SSL_num_renegotiations(ssl) == 0)) { |