Transforming SSL server cert and private key in variables.
Maxim Dounin
mdounin at mdounin.ru
Tue Jan 22 13:34:40 UTC 2013
Hello!
On Tue, Jan 22, 2013 at 02:11:59PM +0100, António P. P. Almeida wrote:
> On 22 Jan 2013 12h21 CET, mdounin at mdounin.ru wrote:
>
> > Hello!
>
> Hello Maxim,
>
> Thank you for your reply.
>
> > On Tue, Jan 22, 2013 at 11:21:44AM +0100, António P. P. Almeida
> > wrote:
> >
> >> Hello,
> >>
> >> I've not yet ventured into Nginx C module coding, but I would like
> >> to know if changing the current SSL module directives:
> >> ssl_certificate and ssl_certificate_key, so that instead of strings
> >> they can be variables (complex values) is feasible, or due to the
> >> fact that SSL happens below the protocol layer, is much more
> >> difficult, than, for instance, the recent transformation in
> >> variables of the auth_basic module directives?
> >
> > It is going to be much more difficult, as you have to reload
> > certificates and keys into SSL context before asking OpenSSL to
> > establish connection, and you'll likely need at least some caching
> > layer in place to make things at least somewhat reasonable from
> > performance point of view.
> >
> > Besides that, the only connection-specific info available when
> > establishing SSL connection is remote address (in all cases) and
> > server name indicated by a client (in case of SNI). Which makes
> > it mostly useless, as remote address destinction is mostly useless
> > (and/or should be done at layer 3), and server{} blocks are here
> > to handle server name distinction.
>
> It's precisely for SNI in mass SSL hosting. Wouldn't be much more
> efficient if there was a callback that returned the host (SNI) and
> that would select a proper (cert, key) pair so that instead of
> reloading we could proceed without having to reload the config?
>
> I would like for something of the kind.
>
> map $sni_host $cert {
> example.net example.net.pem;
> example.com example.com.pem;
> ...
> }
>
> map $sni_host $privkey {
> example.net key.example.net.pem;
> example.com key.example.com.pem;
> ...
> }
>
> Then in the server block:
>
> server {
> listen 80;
> listen 443 ssl;
> server_name *.example.*;
>
> ssl_certificate $cert;
> ssl_certificate_key $privkey;
>
> ...
> }
>
> Also this will avoid having a plethora of server {}.
As long as there will be cache layer to avoid re-reading certs -
it might be efficient enough to be usable. It will require much
more code than just adding variables support though, and things
like OCSP stapling won't be available. Overall I would recommend
using server{} blocks instead.
--
Maxim Dounin
http://nginx.com/support.html
More information about the nginx-devel
mailing list