Transforming SSL server cert and private key in variables.
Maxim Dounin
mdounin at mdounin.ru
Tue Jan 22 11:21:04 UTC 2013
Hello!
On Tue, Jan 22, 2013 at 11:21:44AM +0100, António P. P. Almeida wrote:
> Hello,
>
> I've not yet ventured into Nginx C module coding, but I would like to
> know if changing the current SSL module directives:
> ssl_certificate and ssl_certificate_key, so that instead of strings
> they can be variables (complex values) is feasible, or due to the fact
> that SSL happens below the protocol layer, is much more difficult, than,
> for instance, the recent transformation in variables of the auth_basic
> module directives?
It is going to be much more difficult, as you have to reload
certificates and keys into SSL context before asking OpenSSL to
establish connection, and you'll likely need at least some caching
layer in place to make things at least somewhat reasonable from
performance point of view.
Besides that, the only connection-specific info available when
establishing SSL connection is remote address (in all cases) and
server name indicated by a client (in case of SNI). Which makes
it mostly useless, as remote address destinction is mostly useless
(and/or should be done at layer 3), and server{} blocks are here
to handle server name distinction.
--
Maxim Dounin
http://nginx.com/support.html
More information about the nginx-devel
mailing list