On 29.10.2014 16:42, Yann Ylavic wrote: > On Wed, Oct 29, 2014 at 2:52 PM, Mikhail T. <mi+t...@aldan.algebra.com> wrote: >> That would solve our problem, though some may wonder about the subtle >> differences between "any" and "all" :-) More seriously, it would also make >> the config-files incompatible with earlier httpd-releases -- whereas the >> patch I linked to does not have this problem.
Definitely agreeing with Mikhail. Adding "Any" as another option is just likely to cause even more confusion (and I'm also not in support of adding things like "safe", just for the records). Without clear steps on how to reproduce the problem (what httpd version, what OpenSSL version, what client, what SSLProtocol settings), I'm fairly doubtful that there really is a problem here. From a quick glance at OpenSSL's s23_srvr.c:ssl23_get_client_hello(), I fail to see any reason why the current mod_ssl code in ssl_engine_init.c:ssl_init_ctx_protocol() would disable the acceptance of an SSLv2 compatible ClientHello when a single protocol setting (cases like protocol == SSL_PROTOCOL_TLSV1) is active. Reading further down on the serverfault entry referenced earlier [1], the "real" OP (Matt Hughes, i.e. the one who posted to httpd-users, in the thread mentioned by Jeff) meanwhile came to the conclusion that his problem "was a non-issue all along. Apache will accept SSLv2 handshake with either of the configurations I posted above". In fact, I have no problem to connect to httpd/mod_ssl with "SSLProtocol TLSv1", when using "openssl s_client -cipher RC4-MD5 -connect ...", (provided that RC4-MD5 is still enabled server-side). In that case, I'm seeing an SSLv2 compatible hello, with TLS 1.0 getting negotiated in the end. Kaspar [1] http://serverfault.com/questions/637880/disabling-sslv3-but-still-supporting-sslv2hello-in-apache/