Maybe mod_gnutls or libressl (working with patched mod_ssl, available in trunk but not yet backported) can do better here, I don't know enough about them to tell.
Regards, Yann. On Wed, Jun 17, 2015 at 12:37 AM, karl karloff <karlkarl...@hotmail.com> wrote: > So that does not actually help in the case of SSLv3 because SNI is an > extension to TLS. It seems like this is not possible in Apache given the > usage of OpenSSL as the SSL/TLS library. > > Does that sum it up? > > Thanks, > Karl > > ---------------------------------------- >> Date: Tue, 16 Jun 2015 23:54:39 +0200 >> From: ylavic....@gmail.com >> To: users@httpd.apache.org >> Subject: Re: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite >> >> On Tue, Jun 16, 2015 at 10:48 PM, karl karloff <karlkarl...@hotmail.com> >> wrote: >>> I am attempting to set up more than one subdomain on :443 in this example. >>> >>> so something like >>> sslv3.example.com:443 responds with SSLv3 only >>> tlsv1.example.com:443 responds with TLSv1.0 only >>> ... >>> >>> I wasn't aware that could be achieved using the ServerName directive. >>> >>> The underlying IP/interface should be the same for all subdomains, but each >>> subdomain responds by accepting only a single SSLProtocol. >>> >>> Does that make sense? >> >> It does, however there is a limitation currently in OpenSSL in that it >> can't renegotiate the protocol. >> Hence this configuration will work only with browsers/clients >> supporting (and advertising) the Server Name Indication (SNI), which >> allows to select the correct VirtualHost before the negotiation >> occurs. >> Otherwise, Apache HTTPd will have to negotiate before being able to >> read the requested Host header, and hence determine the VirtualHost. >> Thus it will do the negotiation occording to the parameters (protocol, >> ciphers, ...) of the first vhost declared on the listening IP:port. >> If finally the determined vhost is not the one used for the >> negotiation, it will ask for a renegotiation which, as said above, >> won't take the SSLProtocol into consideration due to OpenSSL not being >> able to do that (the SSLCipherSuite can be renegotiated though). >> >> So all should be fine with SNI only. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org