diff options
-rw-r--r-- | modules/ssl/ssl_engine_kernel.c | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index ac03b2ef7f..134fb17afb 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -2612,14 +2612,13 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) #if OPENSSL_VERSION_NUMBER >= 0x1010007fL \ && (!defined(LIBRESSL_VERSION_NUMBER) \ || LIBRESSL_VERSION_NUMBER >= 0x20800000L) - /* - * Don't switch the protocol if none is configured for this vhost, - * the default in this case is still the base server's SSLProtocol. - */ - if (myConnCtxConfig(c, sc)->protocol_set) { - SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx)); - SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx)); - } + /* Switch to the vhost's protocols. Note that 2.4 used to do this + * only if SSLProtocol was configured/inherited for this vhost, using + * the base server's SSLProtocol otherwise. From 2.5 usual merging + * applies. + */ + SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx)); + SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx)); #endif if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) || (SSL_num_renegotiations(ssl) == 0)) { |