httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From postmas...@sebn.us.to
Subject Re: Re: [users@httpd] Problems with dynamically generating certificate...
Date Wed, 31 Dec 2008 08:54:50 GMT
>>Since the request follows the handshake, would you even know the

>>hostname being requested at the right time? (SNI aside)



One idea is to have a custom made DNS server which always issues a random IP in lets say the
10.1.x.x series for each hostname->IP request. The certgenerate software could get the
target IP by having apache giving it %{SERVER_ADDR} as argument. (lets say its 10.1.234.11),
and then the certgenerate software could query the DNS server which hostname was requested
when it returned 10.1.234.11.



(The client would have a IP of 10.2.x.x series and a netmask of 255.0.0.0)



So lets say a user wants to vitit https://www.verisign.com

The user would do a DNS request to my DNS server. My DNS server gives a random IP as answer
(lets say 10.1.234.11), with a very low TTL. Then the DNS would store in its datafile that
10.1.234.11 was a response for www.verisign.com



Then the user does a HTTPS request to my proxy server, that listen on 10.1.*.*. The server
would then start the certgenerate program, which gets the IP 10.1.234.11. certgenerate open
the DNS server datafile, and checks which hostname was returned for 10.1.234.11, and it would
get www.verisign.com.



Then certgenerate creates a certificate which is valid for www.verisign.com and then signs
it with my CA key, and prints it on STDOUT, and then the user would get no certificate warnings
since my CA key is imported in the browser.



So as you said there was no support in apache for dynamic certificate generation, why not
add support for it. Make it a feature request. Of course, all enviroment vars that is available
before SSL handshake could be available in %{<variable>} notations, so it can be used
as arguments to the dynamic certificate generation program.

I would suggest implementing the dynamic certificate support with exec: in the SSLCertificateFile.



Best regards, Sebastian Nielsen


F-F-F-F-F-F-F-F-F-F-F-F-F-F-
Scanned with Copfilter Version 0.84beta3a (ProxSMTP 1.7)
AntiVirus: ClamAV 0.91.2/8816 - Wed Dec 31 08:18:10 2008
AntiVirus: AVG 7.5.51, engine 442 269.21.0/1296  2008-02-24
by Markus Madlener @ http://www.copfilter.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message