mod_ssl: follow up to r1868645.

Keep the base server's SSLProtocol if none is configured on the vhost selected by Hello/SNI callback. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1868929 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2019-10-25 13:26:14 +00:00
parent 29761d0a18
commit ce68ba8b33
1 changed files with 8 additions and 2 deletions
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2514,8 +2514,14 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
        && (!defined(LIBRESSL_VERSION_NUMBER) \
            || LIBRESSL_VERSION_NUMBER >= 0x20800000L)
-        SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx));
-        SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx));
+        /*
+         * Don't switch the protocol if none is configured for this vhost,
+         * the default in this case is still the base server's SSLProtocol.
+         */
+        if (myCtxConfig(sslcon, sc)->protocol_set) {
+            SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx));
+            SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx));
+        }
 #endif
        if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
            (SSL_num_renegotiations(ssl) == 0)) {