My global settings I have SSLProtocol -all +TLSv1.2 +TLSv1.3 In one vhost I want only TLS 1.3. So in that vhost I added SSLProtocol -all +TLSv1.3 However that setting does not work. On that vhost even a client that can not do TLSv1.3 can connect. Apache: 2.4.37 OpenSSL: 1.1.1a nghttp2: 1.32.0 Tried with winnt mpm and event mpm
AFAIK, the TLS protocol selection triggers before the Server Name Indication (SNI) is available and can select your vhost. This means that the protocol settings of the *first* vhost that you define for the given port (here probably 443) will determine the base SSL capabilities, such as protocols. The server does not enforce the protocol version after the connection has been made and the vhost selected, because this would break the negotiation after it happened. This is one of the quirks of mod_ssl and httpd's vhost selection, I'm afraid. In your case, you basically have to decide which SSL protocol versions you want on any address:port combination your server offers. If you can move your special host to a separate IP, make that host the first one for that, the protocol selection can be enforced. Hoppe this helps.
Created attachment 36857 [details] ssl callback Hello Client patch from Yann Ylavic This patch allows each vhost to run with its own SSLProtocol
*** This bug has been marked as a duplicate of bug 55707 ***