It is not possible to set "SSLProtocol ALL" for a virtual host. The setting is ignored. Example: * global setting: SSLProtocol ALL -SSLv3 * virtual host setting: SSLProtocol ALL The virtual host's setting is ignored and SSLv3 is disabled for the virtual host. The bug is in ssl_engine_config.c (modssl_ctx_cfg_merge): === #define cfgMerge(el,unset) mrg->el = (add->el == (unset)) ? base->el : add->el ... cfgMerge(protocol, SSL_PROTOCOL_ALL); === => the value "SSL_PROTOCOL_ALL" is treated as "undefined" and the global setting is used instead.
Created attachment 32370 [details] Bugfix (for trunk, but also works for 2.4) I have created a patch. I hope that someone has the time to test this and commit it to trunk. Please also propose this bugfix for backport to 2.4.x.
The proposed patch has a bug, see http://svn.apache.org/r1653993 . The real bugfix is http://svn.apache.org/r1653997 .
Thanks Michael for the follow up. Backport to 2.4.x proposed in r1653998.
Backported to upcoming 2.4.13.
Backported to 2.2.30 in r1680917.