[Modules] Dynamically loading certificates.
Adam Hasselbalch Hansen
ahh at one.com
Fri Oct 17 05:51:27 EDT 2008
Adam Hasselbalch Hansen wrote:
> Ok, so, here's the deal.
>
> One (1) virtual host is defined in the Apache configuration. A seperate
> module directs requests to the right docroot, based on the hostname from
> request_req. This needs to be replicated my mod_gnutls for this to work
> with HTTPS.
>
> Right now, I am hooking in just after the SNI-stuff in gnutls_hooks.c,
> basically repeating the stuff from mgs_set_key_file and
> mgs_set_cert_file, to overwrite whatever cert is in the server conf.
> Also, I set the cert_cn, so subsequent requests for the same domain does
> not reread the certificate/key files.
>
> This seems to work, with negligible overhead.
>
> One thing, though, is concurrency. If many requests to different domains
> enter at once, I run the risk of some other request to overwrite the
> cert before the previous request was completed, which results in the
> wrong cert being sent.
>
> Also, I can't seem to actually save the cert_cn with the
> mgs_servconf_rec, just with the server_rec. But that's minor, as I can
> easily grab that instead.
>
> The cache seems to not care about this, and stores and fetches like
> there's no tomorrow.
>
> Any thoughts?
No thoughts at all?
--
Adam Hasselbalch Hansen
UNIX Systems Developer, CPH
e: ahh at one.com, w: www.one.com
More information about the Modules
mailing list