[Modules] Dynamically loading certificates.
Adam Hasselbalch Hansen
ahh at one.com
Fri Sep 19 08:35:10 EDT 2008
Nikos Mavrogiannopoulos wrote:
> Adam Hasselbalch Hansen wrote:
>> Hi there.
>> I would like to hear opinions and ideas on loading certificate files at
>> request time, rather than at server startup.
>> We are hosting several thousand domains. As such, it is unfeasible to
>> define static vhosts for every single one. Instead, through an in-house
>> Apache module, we dynamically serve domains based on the incoming request.
>> Now, we want to offer customers SSL-access to their domains, with
>> individual certificates.
>> So, I want to be able to read in certificate files based on what
>> request_rec knows, and without knowing anything about the available
>> domains (and thus, certificate files) at server startup. Is there any
>> way to do this easily, or does this require major redesigns of the
>> certificate handling inside the module?
> If you want to do it efficiently probably you should hack mod_gnutls for
> a while. Currently it loads the certificates on startup. Doing it on
> runtime it needs to be done with some caching in mind or you will end up
> having a slow site.
Ok, so, here's the deal.
One (1) virtual host is defined in the Apache configuration. A seperate
module directs requests to the right docroot, based on the hostname from
request_req. This needs to be replicated my mod_gnutls for this to work
Right now, I am hooking in just after the SNI-stuff in gnutls_hooks.c,
basically repeating the stuff from mgs_set_key_file and
mgs_set_cert_file, to overwrite whatever cert is in the server conf.
Also, I set the cert_cn, so subsequent requests for the same domain does
not reread the certificate/key files.
This seems to work, with negligible overhead.
One thing, though, is concurrency. If many requests to different domains
enter at once, I run the risk of some other request to overwrite the
cert before the previous request was completed, which results in the
wrong cert being sent.
Also, I can't seem to actually save the cert_cn with the
mgs_servconf_rec, just with the server_rec. But that's minor, as I can
easily grab that instead.
The cache seems to not care about this, and stores and fetches like
there's no tomorrow.
Adam Hasselbalch Hansen
UNIX Systems Developer, CPH
e: ahh at one.com, w: www.one.com
More information about the Modules