Return-Path: 
 <users-return-111649-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-users-archive@www.apache.org
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 4669C18F79
	for <apmail-httpd-users-archive@www.apache.org>;
 Tue, 16 Jun 2015 17:57:32 +0000 (UTC)
Received: (qmail 49143 invoked by uid 500); 16 Jun 2015 17:57:29 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 49111 invoked by uid 500); 16 Jun 2015 17:57:29 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 49101 invoked by uid 99); 16 Jun 2015 17:57:29 -0000
Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Jun 2015 17:57:29 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org)
 with ESMTP id 9393DCE3E7
	for <users@httpd.apache.org>; Tue, 16 Jun 2015 17:57:28 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.131
X-Spam-Level: *
X-Spam-Status: No, score=1.131 tagged_above=-999 required=6.31
	tests=[FREEMAIL_REPLY=1, KAM_ASCII_DIVIDERS=0.8,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
	RP_MATCHES_RCVD=-0.648, SPF_PASS=-0.001] autolearn=disabled
Received: from mx1-us-west.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new,
 port 10024)
	with ESMTP id s0HwHWifWfJ9 for <users@httpd.apache.org>;
	Tue, 16 Jun 2015 17:57:28 +0000 (UTC)
Received: from BAY004-OMC2S6.hotmail.com (bay004-omc2s6.hotmail.com
 [65.54.190.81])
	by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with
 ESMTPS id C094422F03
	for <users@httpd.apache.org>; Tue, 16 Jun 2015 17:57:27 +0000 (UTC)
Received: from BAY179-W67 ([65.54.190.125]) by BAY004-OMC2S6.hotmail.com over
 TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751);
	 Tue, 16 Jun 2015 10:57:21 -0700
X-TMN: [DVu89BKMr2cfHw38hJeREbgkjW4MI8sR]
X-Originating-Email: [karlkarloff@hotmail.com]
Message-ID: <BAY179-W67C024C9191FBA15D664AFA0A70@phx.gbl>
From: karl karloff <karlkarloff@hotmail.com>
To: "users@httpd.apache.org" <users@httpd.apache.org>
Date: Tue, 16 Jun 2015 11:57:21 -0600
Importance: Normal
In-Reply-To: 
 <CAH_2pOV9O-A5QKYgAmbKwztghu7Hbt0nG-M=o3ibZUNa1EBGJg@mail.gmail.com>
References: 
 <BAY179-W19A8D9E35AD901AC6A42ABA0B80@phx.gbl>,<CAH_2pOV9O-A5QKYgAmbKwztghu7Hbt0nG-M=o3ibZUNa1EBGJg@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 16 Jun 2015 17:57:21.0398 (UTC)
 FILETIME=[E4929160:01D0A85D]
Subject: RE: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite

I must have mistyped my config.=0A=
=0A=
Assuming a config such as the following=0A=
<VirtualHost sslv3.example.com:443>=0A=
SSLProtocol=A0=A0=A0=A0 -All +SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2=0A=
...=0A=
=0A=
If I restart apache=2C and then try to test that (the --insecure is for a s=
elf-signed cert):=0A=
=0A=
$ curl https://sslv3.example.com --insecure --tlsv1.0=0A=
<html><body><h1>It works!</h1></body></html>=0A=
=0A=
Shouldn't it fail and not negotiate that?=0A=
=0A=
Thanks=2C=0A=
Karl=0A=
=0A=
----------------------------------------=0A=
> Date: Tue=2C 16 Jun 2015 11:17:22 +0200=0A=
> From: sarkofage77@gmail.com=0A=
> To: users@httpd.apache.org=0A=
> Subject: Re: [users@httpd] VirtualHosts=2C SSLProtocol=2C and SSLCipherSu=
ite=0A=
>=0A=
> Hi=2C=0A=
>=0A=
> Have you tested with the "+"?=0A=
>=0A=
> from docs :=0A=
> Syntax:SSLProtocol [+|-]protocol ...=0A=
>=0A=
> ex :=0A=
> <VirtualHost www.example.com:443>=0A=
> SSLProtocol +TLSv1.2=0A=
> ...=0A=
> </VirtualHost>=0A=
> <VirtualHost old.example.com:443>=0A=
> SSLProtocol +SSLv3=0A=
> ...=0A=
> </VirtualHost>=0A=
>=0A=
>=0A=
>=0A=
> On Tue=2C Jun 16=2C 2015 at 12:37 AM=2C karl karloff <karlkarloff@hotmail=
.com> wrote:=0A=
>> Is there a way in the current Apache (2.4.x or 2.2.x) to specify an SSLP=
rotocol and SSLCipherSuite that affects only a singular VirtualHost?=0A=
>>=0A=
>> e.g.=0A=
>> www.example.com requires modern encryption (i.e. TLSv1.2)=0A=
>> old.example.com allows only deprecated Protocols/ciphers (e.g. SSLv3)=0A=
>>=0A=
>> I tried using something like=0A=
>>=0A=
>> <VirtualHost www.example.com:443>=0A=
>> SSLProtocol TLSv1.2=0A=
>> ...=0A=
>> </VirtualHost>=0A=
>> <VirtualHost old.example.com:443>=0A=
>> SSLProtocol SSLv3=0A=
>> ...=0A=
>> </VirtualHost>=0A=
>>=0A=
>> however it seems that the SSLProtocol directive is not honored inside a =
VirtualHost section.=0A=
>>=0A=
>> Is there a way to configure this properly so that individual VirtualHost=
s honor only the specified protocols? Can the same method be used for SSLCi=
pherSuite?=0A=
>>=0A=
>> Thanks=2C=0A=
>> Karl=0A=
>>=0A=
>> ---------------------------------------------------------------------=0A=
>> To unsubscribe=2C e-mail: users-unsubscribe@httpd.apache.org=0A=
>> For additional commands=2C e-mail: users-help@httpd.apache.org=0A=
>>=0A=
>=0A=
> ---------------------------------------------------------------------=0A=
> To unsubscribe=2C e-mail: users-unsubscribe@httpd.apache.org=0A=
> For additional commands=2C e-mail: users-help@httpd.apache.org=0A=
>=0A=
 		 	   		  =

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org