On Thu, Oct 17, 2019 at 2:06 AM Marian Ion <m....@oodrive.com> wrote:
> > Yes, that's why I set "SSLStrictSNIVHostCheck On" -> according to the > documentation "If set to on in the default name-based virtual host, > clients that are SNI unaware will not be allowed to access any virtual > host". > I set it in the default virtual host and in my "second.server" (that is > supposed to be TLS 1.3 only) but it didn't change the behaviour (i.e. > second.server still accepts TLS 1.2 requests...) > TLS revision describes the handshake protocol. Either the listener accepts TLS 1.2 handshakes, or it does not, it won't look at SNI until the handshake is in flight with the respective TLS handshake. This points out the possibility of multi-homing the box with one IP which accepts TLS 1.2+ and a different IP listening with TLS 1.3 only.
