Hi all,
ok, I just wanted to start here, because this seems like the place.
I know this is going to meet a lot of resistance, but here is my crazy idea.
I'd like to figure out a way to dynamically retrieve the SSL keys for
particular IP connections from the filesystem without having to have a
configuration directive for each one.
So, something like this kind of flow :
1) Request comes in to open an SSL connection on a particular IP
2) mod_ssl first looks in its memory table to see if it already has the
public and private key configs
3) If not, it uses the IP as a location on disk to retrieve the keys
into memory (like /private/keys/205.34.56.78/host.key and host.crt)
4) mod_ssl then uses that and goes along its merry way encrypting
I know there are some issues to solve
1) Security of the keys. Normally they are owned by a more privileged
user than the web server is running as and get read in before apache
changes its ownership. I may be able to get around this by having a
wrapper to retrieve the key as the privileged owner, or have them
located in a database on another machine...
2) It would have to be smart enough of a chunk of code to determine if
there is a CA cert as well.
The benefits :
1) No need for config files to specify certs for each of the IP's !
2) Very fast startup
3) Scales very easily
The downsides :
1) Delay going to disk the first time to get the keys when request comes in.
2) Security issues on safety of key locations and or retrieval.
I think the benefits outweigh the downsides in this case, which is why I
am pursuing it.
Any comments? Concerns? Ideas on perhaps a way to write a module
separate from changing mod_ssl that had hooks in the right places?
Does anyone know if there are hooks to get in front of the SSL connection?
I'd rather write a fresh module than be changing the mod_ssl stuff...
Thanks,
Tim
