Adam Hasselbalch Hansen wrote:
Thomas, Peter wrote:
-----Original Message-----
From: Adam Hasselbalch Hansen [] Sent: Tuesday, May 25, 2010 7:06 AM
Subject: Re: mod_ssl, SNI and dynamic virtual hosts
So what I'm attempting to get feedback on is whether or not it will be possible or even feasible to move certificate loading (as in the actual reading of certificate files) from startup time to request time, and if so, what caveats if any this may lead to.

Loading & processing server certificates, keys, trust chains, and CRLs
Request time doesn't make sense to me, unless it's implemented as a
"one-time cost" for the first use of a dynamic virtual host.  Are these
virtual hosts truly dynamic?  It seems that there would have to be some
a priori knowledge of the possible servers you might be hosting. Are you

Not in a consistent way. Dynamic hosts can (and will) be added or removed from under Apache's nose without restarting it.

in fact proposing some mechanism whereby you provide a path generator as
in "certs/%s/server.crt" where Apache will look for the certificates
[and other files] defining the PKI environment for each dynamic virtual
host, and that further these files might not have been present on the
system at httpd's startup?

That is exactly what I am proposing.

Any further comments? It seemed like you had more to say :)

Adam Hasselbalch Hansen
UNIX Systems Developer, CPH
e:, w:

Reply via email to