Re: Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Marian,

as far as I understand (educated guess!), the 'server_name' is sent during TLS handshake, but after server & client have agreed to a TLS version. Hence, I would expect, that a client which prefers TLS 1.2 will never see 'second.server.on.my.domain'. Which may exactly be what you want.
However, the order in which the 'VirtualHost's are initialized does matter. So I would suggest, putting the 1.3 only server as the first in your config.
I would also suggest, to set 'SSLProtocol -all +TLSv1.2 +TLSv1.3' in the SSL module's config and after that, deny it in 'second.server.on.my.domain' with 'SSLProtocol -TLSv1.2'. Have a look at 'SSLCipherSuite' and 'SSLHonorCipherOrder', may be you need to change the order here.



Am 16.10.19 um 09:17 schrieb Marian Ion:
> According to
> <https://cwiki.apache.org/confluence/display/HTTPD/NameBasedSSLVHostsWithSNI>
> "With SNI, you can have many virtual hosts sharing the same IP address
> and port, and each one can have its own unique certificate (and the rest
> of the configuration)."
> 
> So, using Apache 2.4.41 on a Debian Buster with OpenSSL/1.1.1d I have
> - in ssl.conf: SSLStrictSNIVHostCheck On
> - in virtual hosts files I have something like
> <VirtualHost *:443>
>   ServerName      first.server.on.my.domain
>   SSLProtocol    -all +TLSv1.2 +TLSv1.3
> </virtualHost>
> 
> <VirtualHost *:443>
>   ServerName      second.server.on.my.domain
>   SSLProtocol    -all +TLSv1.3
> </virtualHost>
> 
> For both I use wildcard certificates for *server.on.my.domain; what I
> would like is to have the second server responding to TLS 1.3 only -
> however, it seems that the configuration of the first virtual host prevails!
> 
> Is it possible to do what I am looking for? if yes, what am I doing wrong?
> 
> Marian Ion

Martin


Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux