Ivan Ristic wrote:
You are assuming that the domain name will be in the SSL handshake.
While it will be, in many cases, a very large number of browsers won't
send it. In particular, Internet Explorer running on Windows XP does
not support SNI. For more information, have a look at:
http://en.wikipedia.org/wiki/Server_Name_Indication
Once SNI becomes widely adopted (i.e. Windows XP dies), then, yes, you
may need to resort to resolving certificates at run-time to support
your setup
.
Yes, I know about SNI, and while your points are all valid, they have
little to do with my question. :)
For the sake of the argument, assume that all http clients in the world
sends SNI every time.
The problem then is configuration and certificate loading. At startup,
with dynamic virtual hosts (a la mod_vhost_alias), Apache can not know
which virtual hosts it is going to serve, and thus mos_ssl has no idea
about which certificates to load.
So what I'm attempting to get feedback on is whether or not it will be
possible or even feasible to move certificate loading (as in the actual
reading of certificate files) from startup time to request time, and if
so, what caveats if any this may lead to.
--
Adam Hasselbalch Hansen
UNIX Systems Developer, CPH
e: a...@one.com, w: www.one.com
