Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

Hi Marian, On Thu, Oct 24, 2019 at 5:56 PM Marian Ion wrote: > > I don't know if my reply passed to the list Now it has ;) > the idea is that the last > patch works, and I thank you very much for that! Thanks for testing! Regards, Yann.

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

Hi Marian, On Mon, Oct 21, 2019 at 10:53 PM Marian-Nicolae Ion wrote: > > I recompiled and installed the new version... but I came back quickly to the > "standard" one: > - using "curl" I have noticed that effectively I could have TLS 1.3 only on > the desired virtual host and TLS 1.2+ on the

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

> Am 21.10.2019 um 22:53 schrieb Marian-Nicolae Ion : > > Hi! > > I recompiled and installed the new version... but I came back quickly to the > "standard" one: > - using "curl" I have noticed that effectively I could have TLS 1.3 only on > the desired virtual host and TLS 1.2+ on the

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

Hi! I recompiled and installed the new version... but I came back quickly to the "standard" one: - using "curl" I have noticed that effectively I could have TLS 1.3 only on the desired virtual host and TLS 1.2+ on the others, - however, using a normal browser ("Firefox, Chromium,...) I

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

On Mon, Oct 21, 2019 at 4:59 PM Yann Ylavic wrote: > > On Mon, Oct 21, 2019 at 4:21 PM Aleksandar Ivanisevic > wrote: > > > > could you please copy the list or me, as I would be also interested. > > That's http://svn.apache.org/r1868645 on trunk. It applies cleanly to > latest 2.4 version, just

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

Hi, On Mon, Oct 21, 2019 at 4:21 PM Aleksandar Ivanisevic wrote: > > could you please copy the list or me, as I would be also interested. That's http://svn.apache.org/r1868645 on trunk. It applies cleanly to latest 2.4 version, just in case the corresponding patch is attached here. Regards,

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

Hi, could you please copy the list or me, as I would be also interested. regards, On 20. October 2019 at 13:28:51, Yann Ylavic (ylavic@gmail.com) wrote: Hi Marian, On Wed, Oct 16, 2019 at 9:17 AM Marian Ion wrote: > > Is it possible to do what I am looking for? if yes, what am I doing

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

Hi Marian, On Wed, Oct 16, 2019 at 9:17 AM Marian Ion wrote: > > Is it possible to do what I am looking for? if yes, what am I doing wrong? I've just committed a change to httpd (trunk) which allows to negotiate the SSLProtocol per name based virtual host configuration. It requires OpenSSL

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

On 18/10/2019 01:49, Anil Kumar P wrote: > As suggested in the wiki, did you set below  during your tests. Let us > know your findings. > > NameVirtualHost *:443  Well, I didn't test that, because at it is written that " This

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

As suggested in the wiki, did you set below during your tests. Let us know your findings. # Listen for virtual host requests on all IP addresses NameVirtualHost *:443 # Go ahead and accept connections for these vhosts # from non-SNI clients SSLStrictSNIVHostCheck off Thanks, Anil > On Oct

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

On Thu, Oct 17, 2019 at 2:06 AM Marian Ion wrote: > > Yes, that's why I set "SSLStrictSNIVHostCheck On" -> according to the > documentation "If set to on in the default name-based virtual host, > clients that are SNI unaware will not be allowed to access any virtual > host". > I set it in the

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

On 17/10/2019 04:51, Anil Kumar P wrote: > Is the client sending hostname header with the correct host, if not by > default first vhost will be served. Yes, that's why I set "SSLStrictSNIVHostCheck On" -> according to the documentation "If set to on in the default name-based virtual host,

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

Is the client sending hostname header with the correct host, if not by default first vhost will be served. Thanks, Anil > On Oct 16, 2019, at 7:52 AM, Marian Ion wrote: > >> On 16/10/2019 12:44, Martin Drescher wrote: >> So I would suggest, putting the 1.3 only server as the first in your

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

On 16/10/2019 12:44, Martin Drescher wrote: > So I would suggest, putting the 1.3 only server as the first in your config. > I would also suggest, to set 'SSLProtocol -all +TLSv1.2 +TLSv1.3' in the SSL > module's config and after that, deny it in 'second.server.on.my.domain' with > 'SSLProtocol

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

Marian, as far as I understand (educated guess!), the 'server_name' is sent during TLS handshake, but after server & client have agreed to a TLS version. Hence, I would expect, that a client which prefers TLS 1.2 will never see 'second.server.on.my.domain'. Which may exactly be what you want.

[users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

According to "With SNI, you can have many virtual hosts sharing the same IP address and port, and each one can have its own unique certificate (and the rest of the configuration)." So, using Apache 2.4.41 on a Debian