Thanks for your answer, Stefan. So I would suggest to make the documentation of SSLProtocol clear like this: " You need to name the 'highest' protocol and the 'lowest' protocol, and all protocols in between them, without gap. E.g. if You want to support TLSv1.2 and TLSv1.0, you need to set SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1 If you would only set SSLProtocol -all +TLSv1.2 +TLSv1 Apache would stop at TLSv1.2 because there is a gap in the protocol list, and only support TLSv1.2 If you only want to support TLSv1.2, you would set SSLProtocol TLSv1.2 " I mean, this is weird, but if it is really like so, you should be brave and document this weirdness like it is, or fix it. How could the useres figure this behaviour out otherwise? It took me hours to find the solution, and only by guessing and trying. > I believe this is the result of a deliberate change in the OpenSSL API when going to version 1.1.0. > > In earlier versions of OpenSSL one could switch on/off individual protocols, whereas now one specifies a minimum and maximum TLS version to use. > > In Apache, the configuration handling needed to accomodate for that and the implementation looks for the "highest" protocol and then scans "downward". If a protocol is not listed, it basically stops. I am not sure why this decision was taken, but it seems that one wanted to avoid enabling a protocol that was not configured. > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|