Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 663D92009F9 for ; Mon, 23 May 2016 16:28:12 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 64FBC1609A8; Mon, 23 May 2016 14:28:12 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id ACB671602C5 for ; Mon, 23 May 2016 16:28:11 +0200 (CEST) Received: (qmail 58560 invoked by uid 500); 23 May 2016 14:28:10 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 58549 invoked by uid 99); 23 May 2016 14:28:10 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 May 2016 14:28:10 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id EA20CCB579 for ; Mon, 23 May 2016 14:28:09 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.179 X-Spam-Level: * X-Spam-Status: No, score=1.179 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id mQCNcH87hfLx for ; Mon, 23 May 2016 14:28:06 +0000 (UTC) Received: from mail-oi0-f66.google.com (mail-oi0-f66.google.com [209.85.218.66]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 4E5F15F244 for ; Mon, 23 May 2016 14:28:06 +0000 (UTC) Received: by mail-oi0-f66.google.com with SMTP id r64so27333778oie.1 for ; Mon, 23 May 2016 07:28:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=YkNP8+YCcuiP0mILV5dtjiwFKQzenbB1PxpX49G8lmw=; b=th2hW8qaxokhSlyW9Ag9aB8VSeH/IBgDL2c7sjtSVzWi1mkuwQgkA03SQh9tZxWsnc Iy30gxF7g2Lxc/fHPXCMH3ZBzs2jNEhEYSnq4gw4+2eJDOmWE5YjOqD0/sQ3n791gOPz oP+qvBNrEZQp0w2LUzbGnsZSdyX3sca1ex7tUe4uFE1PlN/eIKbcjbAYrxLLxcXbd2+3 V+ftu1bFgFYj//905XInIgW6ud78g5QkT2mzc3/SQ6HgpBGLDHEvt++gnf80xVJmqf8j kyXwjuO0lDKz4uu52COVf1yiw/r2QRo1QmBznLcjGcE1vuOdSITgA2BS0RRRnU0lGs4+ x7fg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=YkNP8+YCcuiP0mILV5dtjiwFKQzenbB1PxpX49G8lmw=; b=V/6C2oIv1LOqrXSTWV3vTRzHERicG2O3XrgHa8j43qM48OwOMycxjj7haRUBwY+DEb HBGYJdgAFO2gL/OUHlmE4V/FB/fFG2UzPL2+v7TrYGThxS7a3QoGVmMMCWtRGUFNxICZ Gp5zhDGy4d+DkXzxz59ElYmpgkPuuMwFYUUsvSI1QZ1ucbpzE97NAfuBnEiUrG3hRg+i 09E2CWaFR5ljjtAyzE0p/OWrHGqjTCwB1RDzeB32tue6BnG7nYYqifH7k2NnJTdw0C+7 /iacgH+Q5itlP9PNiGkXhGGhUgf5BxdWjRHRGPHlD7zMGfpoc34O10M2GmtpXlQXq3O4 +OtA== X-Gm-Message-State: AOPr4FVcVVcbqDkvqhZqy+kp6OkXaRihLK3DxubsAgFT528Fn//oViIXIfVPZ2OJg4sobOBdVUsQp5qM625iAw== MIME-Version: 1.0 X-Received: by 10.157.40.107 with SMTP id h40mr8599493otd.167.1464013679288; Mon, 23 May 2016 07:27:59 -0700 (PDT) Received: by 10.202.235.142 with HTTP; Mon, 23 May 2016 07:27:59 -0700 (PDT) In-Reply-To: References: Date: Mon, 23 May 2016 17:27:59 +0300 Message-ID: From: "linux.il" To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=001a1139d81c4cf9320533833fb8 Subject: Re: [users@httpd] TLS 1.1 and 1.2 and SNI support archived-at: Mon, 23 May 2016 14:28:12 -0000 --001a1139d81c4cf9320533833fb8 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, May 23, 2016 at 5:16 PM, Eric Covener wrote: > > For some reason if I add "-TLSv1" to SSLProtocol directive in my defaul= t > > SSL vhost, SNI isn't working anymore: > > > > "SSLProtocol All -SSLv2 -SSLv3 -TLSv1" > > > > What protocol is used? Does the client send the SNI extension? > > I'm using the same "curl" and "wget" for testing. As far as I disable TL= S v1.0, I get "curl: (35) SSL connect error" and "ERROR: certificate common name =E2=80=9Cmydefault-ssl-vhost-name=E2=80=9D = doesn=E2=80=99t match requested host name =E2=80=9Cmy-vhost-name=E2=80=9D" in wget. BTW, similar issue reported here http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insec= ure --001a1139d81c4cf9320533833fb8 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Mon, May 23, 2016 at 5:16 PM, Eric Covener <covener@gmail.com&g= t; wrote:
> For some reason if I add "-T= LSv1" to SSLProtocol directive in my default
> SSL vhost, SNI isn't working anymore:
>
>=C2=A0 "SSLProtocol=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0All -SSLv2 -SSLv3 -TLSv1"
>

What protocol is used? Does the client send the SNI extension?

I'm using =C2=A0the same "curl" and &qu= ot;wget" for testing. As far as I disable TLS v1.0, I get "curl: = (35) SSL connect error" and=C2=A0
"ERROR: certificate c= ommon name =E2=80=9Cmydefault-ssl-vhost-name=E2=80=9D doesn=E2=80=99t match= requested host name =E2=80=9Cmy-vhost-name=E2=80=9D"=C2=A0
= in wget.
--001a1139d81c4cf9320533833fb8--