>>Since the request follows the handshake, would you even know the
>>hostname being requested at the right time? (SNI aside)
One idea is to have a custom made DNS server which always issues a random IP in
lets say the 10.1.x.x series for each hostname->IP request. The certgenerate
software could get the target IP by having apache giving it %{SERVER_ADDR} as
argument. (lets say its 10.1.234.11), and then the certgenerate software could
query the DNS server which hostname was requested when it returned 10.1.234.11.
(The client would have a IP of 10.2.x.x series and a netmask of 255.0.0.0)
So lets say a user wants to vitit https://www.verisign.com
The user would do a DNS request to my DNS server. My DNS server gives a random
IP as answer (lets say 10.1.234.11), with a very low TTL. Then the DNS would
store in its datafile that 10.1.234.11 was a response for www.verisign.com
Then the user does a HTTPS request to my proxy server, that listen on 10.1.*.*.
The server would then start the certgenerate program, which gets the IP
10.1.234.11. certgenerate open the DNS server datafile, and checks which
hostname was returned for 10.1.234.11, and it would get www.verisign.com.
Then certgenerate creates a certificate which is valid for www.verisign.com and
then signs it with my CA key, and prints it on STDOUT, and then the user would
get no certificate warnings since my CA key is imported in the browser.
So as you said there was no support in apache for dynamic certificate
generation, why not add support for it. Make it a feature request. Of course,
all enviroment vars that is available before SSL handshake could be available
in %{<variable>} notations, so it can be used as arguments to the dynamic
certificate generation program.
I would suggest implementing the dynamic certificate support with exec: in the
SSLCertificateFile.
Best regards, Sebastian Nielsen
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Scanned with Copfilter Version 0.84beta3a (ProxSMTP 1.7)
AntiVirus: ClamAV 0.91.2/8816 - Wed Dec 31 08:18:10 2008
AntiVirus: AVG 7.5.51, engine 442 269.21.0/1296 2008-02-24
by Markus Madlener @ http://www.copfilter.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
