[Modules] Dynamically loading certificates.

[Nikos Mavrogiannopoulos]

On Fri, Oct 17, 2008 at 12:51 PM, Adam Hasselbalch Hansen <ahh at one.com> wrote:
> Adam Hasselbalch Hansen wrote:
>
>> Ok, so, here's the deal.
>>
>> One (1) virtual host is defined in the Apache configuration. A seperate
>> module directs requests to the right docroot, based on the hostname from
>> request_req. This needs to be replicated my mod_gnutls for this to work
>> with HTTPS.
>>
>> Right now, I am hooking in just after the SNI-stuff in gnutls_hooks.c,
>> basically repeating the stuff from mgs_set_key_file and
>> mgs_set_cert_file, to overwrite whatever cert is in the server conf.
>> Also, I set the cert_cn, so subsequent requests for the same domain does
>> not reread the certificate/key files.
>> This seems to work, with negligible overhead.
>>
>> One thing, though, is concurrency. If many requests to different domains
>> enter at once, I run the risk of some other request to overwrite the
>> cert before the previous request was completed, which results in the
>> wrong cert being sent.

You could avoid it by some kind of locking.

>>
>> Also, I can't seem to actually save the cert_cn with the
>> mgs_servconf_rec, just with the server_rec. But that's minor, as I can
>> easily grab that instead.
>>
>> The cache seems to not care about this, and stores and fetches like
>> there's no tomorrow.
>>
>> Any thoughts?
>
> No thoughts at all?

Hello Adam,
 I see no problem in your plan. However due to engagements I haven't
really had time to seriously think about it.

regards,
Nikos