[Modules] Dynamically loading certificates.

Adam Hasselbalch Hansen ahh at one.com
Fri Oct 17 05:51:27 EDT 2008


Adam Hasselbalch Hansen wrote:

> Ok, so, here's the deal.
> 
> One (1) virtual host is defined in the Apache configuration. A seperate 
> module directs requests to the right docroot, based on the hostname from 
> request_req. This needs to be replicated my mod_gnutls for this to work 
> with HTTPS.
> 
> Right now, I am hooking in just after the SNI-stuff in gnutls_hooks.c, 
> basically repeating the stuff from mgs_set_key_file and 
> mgs_set_cert_file, to overwrite whatever cert is in the server conf. 
> Also, I set the cert_cn, so subsequent requests for the same domain does 
> not reread the certificate/key files.
> 
> This seems to work, with negligible overhead.
> 
> One thing, though, is concurrency. If many requests to different domains 
> enter at once, I run the risk of some other request to overwrite the 
> cert before the previous request was completed, which results in the 
> wrong cert being sent.
> 
> Also, I can't seem to actually save the cert_cn with the 
> mgs_servconf_rec, just with the server_rec. But that's minor, as I can 
> easily grab that instead.
> 
> The cache seems to not care about this, and stores and fetches like 
> there's no tomorrow.
> 
> Any thoughts?

No thoughts at all?


-- 
Adam Hasselbalch Hansen
UNIX Systems Developer, CPH
e: ahh at one.com, w: www.one.com



More information about the Modules mailing list