On Fri, Oct 25, 2019 at 9:56 AM Stefan Eissing <[email protected]> wrote: > > If I understand this correctly: if someone has some old > SSLProtocol/Cipher/etc. setting sitting in a vhost, *ineffective now since it > is not the first vhost*, this change would activate it.
Ciphers/etc work per vhost already thanks to the SNI callback, it's only SSLProtocol that can't be changed from there due to OpenSSL internals (AIUI), but still.. > So it could expose a site to a TLS setting that is not appropriate for it. > One could argue that the first mistake was for the admin to leave that > setting there, but... Yeah, my fear as well.
