summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--modules/ssl/ssl_engine_kernel.c15
1 files changed, 7 insertions, 8 deletions
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index ac03b2ef7f..134fb17afb 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2612,14 +2612,13 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
#if OPENSSL_VERSION_NUMBER >= 0x1010007fL \
&& (!defined(LIBRESSL_VERSION_NUMBER) \
|| LIBRESSL_VERSION_NUMBER >= 0x20800000L)
- /*
- * Don't switch the protocol if none is configured for this vhost,
- * the default in this case is still the base server's SSLProtocol.
- */
- if (myConnCtxConfig(c, sc)->protocol_set) {
- SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx));
- SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx));
- }
+ /* Switch to the vhost's protocols. Note that 2.4 used to do this
+ * only if SSLProtocol was configured/inherited for this vhost, using
+ * the base server's SSLProtocol otherwise. From 2.5 usual merging
+ * applies.
+ */
+ SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx));
+ SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx));
#endif
if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
(SSL_num_renegotiations(ssl) == 0)) {