httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "linux.il" <linux...@gmail.com>
Subject Re: [users@httpd] TLS 1.1 and 1.2 and SNI support
Date Mon, 23 May 2016 14:01:49 GMT
On Mon, May 23, 2016 at 4:39 PM, Eric Covener <covener@gmail.com> wrote:

> On Mon, May 23, 2016 at 9:36 AM, linux.il <linux.il@gmail.com> wrote:
> > As far as I see from my experiments (Apache 2.4.6 on RHEL7) and users
> > reports, SNI needs TLS 1.0 and doesn't work with TLS1.1/1.2.
> > This behavior seems me really weird; unfortunately I couldn't find any
> > explanation for it.
> > My question is: did I miss  something? Is there any way to use SNI w/o
> > TLSv1?
> > We want to disable TLS 1.0, but don't want to lost SNI functionality.
> >
> > URLs:
> > - https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI "The first
> > (default) vhost for SSL name-based virtual hosts must include TLSv1 as a
> > permitted protocol"
> > -
> >
> http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure
> >
> > TIA,
> > Vitaly
> > PS: I understand that my question is not 100% on-topic but I hope it's
> close
> > enough.
>
>
> All of those references are contrasting TLSv1 with SSLv3, not with
> TLSv1.2.  SNI works fine with TLSv1.0 _and later_
>
> --
> Eric Covener
> covener@gmail.com


Eric,
Thank you!
For some reason if I add "-TLSv1" to SSLProtocol directive in my default
 SSL vhost, SNI isn't working anymore:

 "SSLProtocol             All -SSLv2 -SSLv3 -TLSv1"

Mime
View raw message