You are assuming that the domain name will be in the SSL handshake. While it will be, in many cases, a very large number of browsers won't send it. In particular, Internet Explorer running on Windows XP does not support SNI. For more information, have a look at:
http://en.wikipedia.org/wiki/Server_Name_Indication Once SNI becomes widely adopted (i.e. Windows XP dies), then, yes, you may need to resort to resolving certificates at run-time to support your setup . On Tue, May 25, 2010 at 11:03 AM, Adam Hasselbalch Hansen <[email protected]> wrote: > Adam Hasselbalch Hansen wrote: >> >> We have a setup that uses an in-house module which works not entirely >> unlike mod_vhost_alias, in that it has a single virtual host configured, and >> then determines stuff like domain name, docroot, etc, from the request. >> >> We'd love to be able to use SSL in this setup, but as far as I can see, >> the only way to do this would be to change (i.e. hack) mod_ssl to do the >> certificate loading sometime around request-time, since the apache server >> and SSL have no clue what virtual hosts they will be serving at startup. >> >> How would such a hack, if at all possible, affect stuff like certificate >> caching and other things? >> >> I'd love any feedback! > > Anyone? > > -- > Adam Hasselbalch Hansen > UNIX Systems Developer, CPH > e: [email protected], w: www.one.com -- Ivan Ristic ModSecurity Handbook [http://www.modsecurityhandbook.com] SSL Labs [https://www.ssllabs.com/ssldb/]
