mod_ssl: follow up to r1868645.

[apache] / modules / ssl / ssl_engine_kernel.c

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 023971b234fc36e9db6a55aca5077abdee03ada2..0d17ec69391b692f41e950d1c7ccf2bac9f7e44c 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2514,8 +2514,14 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
         && (!defined(LIBRESSL_VERSION_NUMBER) \
             || LIBRESSL_VERSION_NUMBER >= 0x20800000L)
-        SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx));
-        SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx));
+        /*
+         * Don't switch the protocol if none is configured for this vhost,
+         * the default in this case is still the base server's SSLProtocol.
+         */
+        if (myCtxConfig(sslcon, sc)->protocol_set) {
+            SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx));
+            SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx));
+        }
 #endif
         if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
             (SSL_num_renegotiations(ssl) == 0)) {