[Modules] Dynamically loading certificates.

Adam Hasselbalch Hansen ahh at one.com
Fri Sep 19 08:35:10 EDT 2008 

Nikos Mavrogiannopoulos wrote:
> Adam Hasselbalch Hansen wrote:
>> Hi there.
>>
>> I would like to hear opinions and ideas on loading certificate files at 
>> request time, rather than at server startup.
>>
>> We are hosting several thousand domains. As such, it is unfeasible to 
>> define static vhosts for every single one. Instead, through an in-house 
>> Apache module, we dynamically serve domains based on the incoming request.
>>
>> Now, we want to offer customers SSL-access to their domains, with 
>> individual certificates.
>>
>> So, I want to be able to read in certificate files based on what 
>> request_rec knows, and without knowing anything about the available 
>> domains (and thus, certificate files) at server startup. Is there any 
>> way to do this easily, or does this require major redesigns of the 
>> certificate handling inside the module?
> 
> If you want to do it efficiently probably you should hack mod_gnutls for
> a while. Currently it loads the certificates on startup. Doing it on
> runtime it needs to be done with some caching in mind or you will end up
> having a slow site.

Ok, so, here's the deal.

One (1) virtual host is defined in the Apache configuration. A seperate 
module directs requests to the right docroot, based on the hostname from 
request_req. This needs to be replicated my mod_gnutls for this to work 
with HTTPS.

Right now, I am hooking in just after the SNI-stuff in gnutls_hooks.c, 
basically repeating the stuff from mgs_set_key_file and 
mgs_set_cert_file, to overwrite whatever cert is in the server conf. 
Also, I set the cert_cn, so subsequent requests for the same domain does 
not reread the certificate/key files.

This seems to work, with negligible overhead.

One thing, though, is concurrency. If many requests to different domains 
enter at once, I run the risk of some other request to overwrite the 
cert before the previous request was completed, which results in the 
wrong cert being sent.

Also, I can't seem to actually save the cert_cn with the 
mgs_servconf_rec, just with the server_rec. But that's minor, as I can 
easily grab that instead.

The cache seems to not care about this, and stores and fetches like 
there's no tomorrow.

Any thoughts?

-- 
Adam Hasselbalch Hansen
UNIX Systems Developer, CPH
e: ahh at one.com, w: www.one.com

More information about the Modules mailing list