Re: mod_ssl, SNI and dynamic virtual hosts

[Adam Hasselbalch Hansen <ah...@one.com>]

Adam Hasselbalch Hansen wrote:
> Thomas, Peter wrote:
>>> -----Original Message-----
>>> From: Adam Hasselbalch Hansen [mailto:ahh@one.com] Sent: Tuesday, May 
>>> 25, 2010 7:06 AM
>>> To: dev@httpd.apache.org
>>> Subject: Re: mod_ssl, SNI and dynamic virtual hosts
>>> So what I'm attempting to get feedback on is whether or not it will 
>>> be possible or even feasible to move certificate loading (as in the 
>>> actual reading of certificate files) from startup time to request 
>>> time, and if so, what caveats if any this may lead to.
> 
>> Loading & processing server certificates, keys, trust chains, and CRLs
>> Request time doesn't make sense to me, unless it's implemented as a
>> "one-time cost" for the first use of a dynamic virtual host.  Are these
>> virtual hosts truly dynamic?  It seems that there would have to be some
>> a priori knowledge of the possible servers you might be hosting. Are you
> 
> Not in a consistent way. Dynamic hosts can (and will) be added or 
> removed from under Apache's nose without restarting it.
> 
>> in fact proposing some mechanism whereby you provide a path generator as
>> in "certs/%s/server.crt" where Apache will look for the certificates
>> [and other files] defining the PKI environment for each dynamic virtual
>> host, and that further these files might not have been present on the
>> system at httpd's startup?
> 
> That is exactly what I am proposing.

Any further comments? It seemed like you had more to say :)


-- 
Adam Hasselbalch Hansen
UNIX Systems Developer, CPH
e: ahh@one.com, w: www.one.com