Hi,
Something doesn't seem right between httpd.conf and
tls_config_parse_protocols. Running today's snapshot, but was first
attempted in the 15 Dec snapshot.
httpd.conf(5) says to get TLS protocols from
tls_config_parse_protocols(3). That page says:
The tls_config_parse_protocols() function parses a protocol string and
returns the corresponding value via the protocols argument. This value
can then be passed to the tls_config_set_protocols() function. The
protocol string is a comma or colon separated list of keywords.
Comma or colon delimited. Seems fine.
My httpd.conf is this:
server "www3.mwlucas.org" {
listen on * port 80
block return 302 "https://$SERVER_NAME$REQUEST_URI";
}
server "www3.mwlucas.org" {
alias tarpit.mwlucas.org
listen on * tls port 443
hsts
# TLS certificate and key files created with acme-client(1)
tls certificate "/etc/ssl/acme/fullchain.pem"
tls key "/etc/ssl/acme/private/privkey.pem"
tls ocsp "/etc/ssl/acme/ocsp.der"
tls protocols tlsv1.0,tlsv1.1
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
}
The man page says I can use a comma instead of a colon, so I change it
like so.
tls protocols tlsv1.0,tlsv1.1
This gives me
# httpd -n
/etc/httpd.conf:16: syntax error
Looks like something doesn't match.
The man page also says:
If a value has a negative prefix (in the form
of a leading exclamation mark) then it is removed from the list of
available protocols, rather than being added to it.
I read this as the following should work.
tls protocols all:!tlsv1.0
Instead, I get:
httpd -n
/etc/httpd.conf:16: invalid tls protocols
==ml
--
Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
