There has been work done by Ylavic regarding this. I do not known in which release his changes made it. However, up to then, certain SSL* configs did only apply from the _first_ VirtuaLHost for a given port. Subsequent declarations in other vhosts had no effect. (This is probably all historical from the time before SNI was used everywhere.) - Stefan > Am 14.10.2020 um 10:56 schrieb Thomas Plant <thomas@plant.systems>: > > Hello, > > I have a virtualhost where i need to allow only TLSv1.2. > > Tried following config: > > <VirtualHost *:443> > ServerName xxxxxx > ServerAlias xxxxxx > .. > .. cut rest to shorten a bit > .. > SSLEngine On > SSLProtocol -all +TLSv1.2 > SSLCertificateFile /etc/letsencrypt/live/xxxxx/cert.pem > SSLCertificateKeyFile /etc/letsencrypt/live/xxxxxx/privkey.pem > SSLCertificateChainFile /etc/letsencrypt/live/xxxxxx/chain.pem > </VirtualHost> > > But when I do a test with "nmap --script ssl-enum-ciphers -p 443 URLofSite | grep TLSv" I always see that TLSv1.1 is still activated. Also tested with other tools like ssllabs.com.... > As found on serverfault.com I tried the following directive too but without success: > > SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2" > > Seems that the generic config file in /etc/httpd/conf.d/ssl.conf always overrides my settings in the virtualhost? > > Thanks for any help, > Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|