On Mon, May 23, 2016 at 4:39 PM, Eric Covener <cove...@gmail.com> wrote:
> On Mon, May 23, 2016 at 9:36 AM, linux.il <linux...@gmail.com> wrote: > > As far as I see from my experiments (Apache 2.4.6 on RHEL7) and users > > reports, SNI needs TLS 1.0 and doesn't work with TLS1.1/1.2. > > This behavior seems me really weird; unfortunately I couldn't find any > > explanation for it. > > My question is: did I miss something? Is there any way to use SNI w/o > > TLSv1? > > We want to disable TLS 1.0, but don't want to lost SNI functionality. > > > > URLs: > > - https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI "The first > > (default) vhost for SSL name-based virtual hosts must include TLSv1 as a > > permitted protocol" > > - > > > http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure > > > > TIA, > > Vitaly > > PS: I understand that my question is not 100% on-topic but I hope it's > close > > enough. > > > All of those references are contrasting TLSv1 with SSLv3, not with > TLSv1.2. SNI works fine with TLSv1.0 _and later_ > > -- > Eric Covener > cove...@gmail.com Eric, Thank you! For some reason if I add "-TLSv1" to SSLProtocol directive in my default SSL vhost, SNI isn't working anymore: "SSLProtocol All -SSLv2 -SSLv3 -TLSv1"
