Bug 57100 - "SSLProtocol ALL" is ignored for virtual hosts
Summary: "SSLProtocol ALL" is ignored for virtual hosts
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2014-10-16 10:15 UTC by Michael Kaufmann
Modified: 2015-07-22 22:19 UTC (History)
1 user (show)

Bugfix (for trunk, but also works for 2.4) (2.46 KB, patch)
2015-01-16 14:08 UTC, Michael Kaufmann
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Kaufmann 2014-10-16 10:15:11 UTC
It is not possible to set "SSLProtocol ALL" for a virtual host. The setting is ignored.

* global setting: SSLProtocol ALL -SSLv3
* virtual host setting: SSLProtocol ALL

The virtual host's setting is ignored and SSLv3 is disabled for the virtual host.

The bug is in ssl_engine_config.c (modssl_ctx_cfg_merge):

#define cfgMerge(el,unset)  mrg->el = (add->el == (unset)) ? base->el : add->el
cfgMerge(protocol, SSL_PROTOCOL_ALL);

=> the value "SSL_PROTOCOL_ALL" is treated as "undefined" and the global setting is used instead.
Comment 1 Michael Kaufmann 2015-01-16 14:08:34 UTC
Created attachment 32370 [details]
Bugfix (for trunk, but also works for 2.4)

I have created a patch.

I hope that someone has the time to test this and commit it to trunk. Please also propose this bugfix for backport to 2.4.x.
Comment 2 Michael Kaufmann 2015-01-23 09:19:02 UTC
The proposed patch has a bug, see http://svn.apache.org/r1653993 .

The real bugfix is http://svn.apache.org/r1653997 .
Comment 3 Yann Ylavic 2015-01-23 09:32:30 UTC
Thanks Michael for the follow up.
Backport to 2.4.x proposed in r1653998.
Comment 4 Yann Ylavic 2015-03-02 11:24:17 UTC
Backported to upcoming 2.4.13.
Comment 5 Yann Ylavic 2015-07-22 22:19:11 UTC
Backported to 2.2.30 in r1680917.