From 543a0be8808ebfbb737e3e002016298e13440a64 Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Wed, 16 Oct 2024 14:11:41 +0000 Subject: [PATCH] mod_ssl: Revert r1868929 on trunk (only). We discussed in 2019 that after 2.4.x's backport r1873907 we should apply normal/usual merging for SSLProtocol in next versions (thus trunk first). See: https://lists.apache.org/thread/76yh7j3fwj2tsmffsqcqpv4mcfph5vqx Make this happen finally. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921360 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_kernel.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index ac03b2ef7f5..134fb17afb5 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -2612,14 +2612,13 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) #if OPENSSL_VERSION_NUMBER >= 0x1010007fL \ && (!defined(LIBRESSL_VERSION_NUMBER) \ || LIBRESSL_VERSION_NUMBER >= 0x20800000L) - /* - * Don't switch the protocol if none is configured for this vhost, - * the default in this case is still the base server's SSLProtocol. - */ - if (myConnCtxConfig(c, sc)->protocol_set) { - SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx)); - SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx)); - } + /* Switch to the vhost's protocols. Note that 2.4 used to do this + * only if SSLProtocol was configured/inherited for this vhost, using + * the base server's SSLProtocol otherwise. From 2.5 usual merging + * applies. + */ + SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx)); + SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx)); #endif if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) || (SSL_num_renegotiations(ssl) == 0)) {