On Sun, August 16, 2020 3:20 pm, hisacro wrote: > On Sun, Aug 16, 2020 at 02:34:27PM -0400, trondd wrote: > >> Oh, I see what you're doing. BOTH listen lines are active in the second >> server block. When you connect to port 443 with that config, which TLS >> settings does it use? I want to guess that because you're lisening on >> port 8000 without tls first, the listen with tls is skipped along with >> the >> tls block below it. > > No, listen TLS isn't skipped for sub.domain.tld >
That's not what I see. With the additional listen line, allowing httpd to start, my sub domain server is using the tls setup from the main server tls block except for the cert and key to support SNI. Change the additional listen line to tls and you'll see that one will pick up the tls block as it's on a different port. I think my initial assessment stands. You can't have different tls blocks on the same ip/port except certificates and keys for SNI It explicitly does a check to make sure that the other parameters match. The bug here is in how additional listen lines interact with the remaining configuration. The first listen line in a server block gets the tls block and it doesn't get applied to the second listen line. Except for certs and keys which are handled differently for SNI.
