httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Traver <tt-l...@simplenet.com>
Subject mod_ssl dynamic configuration project
Date Tue, 26 Mar 2013 20:25:52 GMT
Hi all,

ok, I just wanted to start here, because this seems like the place.

I know this is going to meet a lot of resistance, but here is my crazy idea.

I'd like to figure out a way to dynamically retrieve the SSL keys for 
particular IP connections from the filesystem without having to have a 
configuration directive for each one.

So, something like this kind of flow :

1) Request comes in to open an SSL connection on a particular IP
2) mod_ssl first looks in its memory table to see if it already has the 
public and private key configs
3) If not, it uses the IP as a location on disk to retrieve the keys 
into memory (like /private/keys/205.34.56.78/host.key and host.crt)
4) mod_ssl then uses that and goes along its merry way encrypting

I know there are some issues to solve

1) Security of the keys. Normally they are owned by a more privileged 
user than the web server is running as and get read in before apache 
changes its ownership. I may be able to get around this by having a 
wrapper to retrieve the key as the privileged owner, or have them 
located in a database on another machine...
2) It would have to be smart enough of a chunk of code to determine if 
there is a CA cert as well.

The benefits :

1) No need for config files to specify certs for each of the IP's !
2) Very fast startup
3) Scales very easily

The downsides :

1) Delay going to disk the first time to get the keys when request comes in.
2) Security issues on safety of key locations and or retrieval.

I think the benefits outweigh the downsides in this case, which is why I 
am pursuing it.

Any comments? Concerns? Ideas on perhaps a way to write a module 
separate from changing mod_ssl that had hooks in the right places?

Does anyone know if there are hooks to get in front of the SSL connection?

I'd rather write a fresh module than be changing the mod_ssl stuff...

Thanks,

Tim


Mime
View raw message