Bug 62939 - SSLProtocol and TLSv1.3
Summary: SSLProtocol and TLSv1.3
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.37
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2018-11-22 09:09 UTC by Mario
Modified: 2019-10-23 09:46 UTC (History)
1 user (show)



Attachments
ssl callback Hello Client patch from Yann Ylavic (8.81 KB, patch)
2019-10-23 09:32 UTC, Mario
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mario 2018-11-22 09:09:59 UTC
My global settings I have 

SSLProtocol -all +TLSv1.2 +TLSv1.3

In one vhost I want only TLS 1.3. So in that vhost I added 

SSLProtocol -all +TLSv1.3 

However that setting does not work. On that vhost even a client that can not do TLSv1.3 can connect.

Apache: 2.4.37
OpenSSL: 1.1.1a
nghttp2: 1.32.0

Tried with winnt mpm and event mpm
Comment 1 Stefan Eissing 2018-11-22 09:43:12 UTC
AFAIK, the TLS protocol selection triggers before the Server Name Indication (SNI) is available and can select your vhost.

This means that the protocol settings of the *first* vhost that you define for the given port (here probably 443) will determine the base SSL capabilities, such as protocols.

The server does not enforce the protocol version after the connection has been made and the vhost selected, because this would break the negotiation after it happened.

This is one of the quirks of mod_ssl and httpd's vhost selection, I'm afraid.

In your case, you basically have to decide which SSL protocol versions you want on any address:port combination your server offers. If you can move your special host to a separate IP, make that host the first one for that, the protocol selection can be enforced.

Hoppe this helps.
Comment 2 Mario 2019-10-23 09:32:29 UTC
Created attachment 36857 [details]
ssl callback Hello Client patch from Yann Ylavic

This patch allows each vhost to run with its own SSLProtocol