Re: Re: Problems with dynamically generating certificate...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>>Since the request follows the handshake, would you even know the

>>hostname being requested at the right time? (SNI aside)



One idea is to have a custom made DNS server which always issues a random IP in lets say the 10.1.x.x series for each hostname->IP request. The certgenerate software could get the target IP by having apache giving it %{SERVER_ADDR} as argument. (lets say its 10.1.234.11), and then the certgenerate software could query the DNS server which hostname was requested when it returned 10.1.234.11.



(The client would have a IP of 10.2.x.x series and a netmask of 255.0.0.0)



So lets say a user wants to vitit https://www.verisign.com

The user would do a DNS request to my DNS server. My DNS server gives a random IP as answer (lets say 10.1.234.11), with a very low TTL. Then the DNS would store in its datafile that 10.1.234.11 was a response for www.verisign.com



Then the user does a HTTPS request to my proxy server, that listen on 10.1.*.*. The server would then start the certgenerate program, which gets the IP 10.1.234.11. certgenerate open the DNS server datafile, and checks which hostname was returned for 10.1.234.11, and it would get www.verisign.com.



Then certgenerate creates a certificate which is valid for www.verisign.com and then signs it with my CA key, and prints it on STDOUT, and then the user would get no certificate warnings since my CA key is imported in the browser.



So as you said there was no support in apache for dynamic certificate generation, why not add support for it. Make it a feature request. Of course, all enviroment vars that is available before SSL handshake could be available in %{<variable>} notations, so it can be used as arguments to the dynamic certificate generation program.

I would suggest implementing the dynamic certificate support with exec: in the SSLCertificateFile.



Best regards, Sebastian Nielsen


Scanned with Copfilter Version 0.84beta3a (ProxSMTP 1.7)
AntiVirus: ClamAV 0.91.2/8816 - Wed Dec 31 08:18:10 2008
AntiVirus: AVG 7.5.51, engine 442 269.21.0/1296  2008-02-24
by Markus Madlener @ http://www.copfilter.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux