On Wed, Apr 11, 2018 at 6:41 PM, Joe Orton <jor...@redhat.com> wrote: > On Wed, Apr 11, 2018 at 05:49:47PM +0200, Yann Ylavic wrote: >> I agree... to both Stefan's and your points of view here :p > > YOU FENCE SITTER! :)
:D > > I feel like it should be possible to restore the old behaviour simply by > disabling the implicit-SSLEngine-on in the cases where we'd never get a > separate SSLSrvConfigRec before. > > e.g. could we suppress default-on if pks->cert_files is empty? (plus > some mod_md fudge factor??) I'm not sure to understand how this'd help, there may still be multiple vhosts with mod_md. I'd like this approach if it works, but don't see the link for now. As for my proposal, maybe the other way around then: for 2.4.x, we could require that mod_md's LoadModule precedes mod_ssl's so that it can reset ap_module_flags_umask before (ap_module_flags_umask would be internal only, defaulting to -1). Since mod_md is experimental, maybe we can afford this requirement...
