Transforming SSL server cert and private key in variables.

Maxim Dounin mdounin at
Tue Jan 22 11:21:04 UTC 2013


On Tue, Jan 22, 2013 at 11:21:44AM +0100, António P. P. Almeida wrote:

> Hello,
> I've not yet ventured into Nginx C module coding, but I would like to
> know if changing the current SSL module directives:
> ssl_certificate and ssl_certificate_key, so that instead of strings
> they can be variables (complex values) is feasible, or due to the fact
> that SSL happens below the protocol layer, is much more difficult, than,
> for instance, the recent transformation in variables of the auth_basic
> module directives?

It is going to be much more difficult, as you have to reload 
certificates and keys into SSL context before asking OpenSSL to 
establish connection, and you'll likely need at least some caching 
layer in place to make things at least somewhat reasonable from 
performance point of view.

Besides that, the only connection-specific info available when 
establishing SSL connection is remote address (in all cases) and 
server name indicated by a client (in case of SNI).  Which makes 
it mostly useless, as remote address destinction is mostly useless 
(and/or should be done at layer 3), and server{} blocks are here 
to handle server name distinction.

Maxim Dounin

More information about the nginx-devel mailing list