httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 46458] Allow dynamic generation of certificates.
Date Fri, 02 Jan 2009 17:50:31 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=46458


sebastian <postmaster@sebn.us.to> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |




--- Comment #2 from sebastian <postmaster@sebn.us.to>  2009-01-02 09:50:29 PST ---
But I mean if I only know the hostname at the time of the request, before
SSL-handshake.

Or if I generate domains on-the-fly tied to a specific IP-adress, and want to
lookup the correct domain given a specific IP-adress, and then load the correct
certificate.

Lets say I have 50 IPs. Then lets say I have 50 different subdomains connected
to each IP.
Instead of creating 50 VirtualHosts with its own certificate, I could simply
have one virtualhost with SSLCertificateFile exec:/usr/bin/cat
/etc/httpd/certificates/%{SERVER_ADDR}.crt

And Apache would for the request with the target ip "213.12.14.56" execute
"/usr/bin/cat /etc/httpd/certificates/213.12.14.56.crt" (which would be a
certificate with its DN set to the correct domain)
and use the certificate it gets on STDOUT for the current SSL request.

Thats one example.

The following enviroment vars are available before handshake:
all SERVER_ variables
all REMOTE_ variables except REMOTE_USER
all TIME_ variables
and the HTTPS variable (which in this case always is "on")

Another example is in a corporate proxy situation, where you want to do SSL
scanning of all SSL requests made from inside firewall.
You can set up a DNS which delivers the IP 10.1.1.1 to 10.1.254.254
sequentally, for each domain requested, and then store which domain that was
requested when the IP x.x.x.x was returned, in a database...

So when a client with the IP 10.2.1.2 request:
www.google.se from the DNS, it would return "www.google.se IN A 10.1.1.1" , and
then store in database:
"UPDATE domaintable SET domain='www.google.se' WHERE ip='10.1.1.1' AND
clientip='10.2.1.2'"

next the same client request www.gmail.com, it would get "www.gmail.com IN A
10.1.1.2" from the DNS, and then it store:
"UPDATE domaintable SET domain='www.gmail.com' WHERE ip='10.1.1.2' AND
clientip='10.2.1.2'"

Then you can have a CA certificate with its corresponding private key, and then
have a normal certificate with a specific publickey and private key.

Then you can have:
SSLCertificateFile /usr/bin/certgenerate %{SERVER_ADDR} %{REMOTE_ADDR}

And the script could look something like this (pseudocode)
Get Argument1 and Argument2 from commandline
Variable1 = "SELECT domain FROM domaintable WHERE ip='Argument1' AND
clientip='Argument2'"
Load /etc/certificates/cert.pem
Replace current DN with Variable1
Resign certificate with the CA private key
print certificate on STDOUT

So this is the 2 examples I could come up with.

And I think this would be pretty easy to implement. The only thing that needs
to be changed, is to load the certificate for each request instead of server
start, and then allow the use of SSLCertificateFile exec:/path/to/program which
executes the program with specified arguments, and then reads from the STDOUT,
and a function to resolve variable names like %{REMOTE_ADDR}, %{SERVER_ADDR}
and such.

I think it would be a good interface to those that want to do some more
advanced certificate management than loading from a simple file.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message