Re: shared SSL
From: Alun Jones (alun@texis.com)
Date: 12/12/02
- Next message: Rick: "IIS Integrated Auth will not work from 9X client"
- Previous message: Chris Curtis: "Problem with IISHelp"
- In reply to: Thomas Deml [Msft]: "Re: shared SSL"
- Next in thread: Daniel: "Re: shared SSL"
- Reply: Daniel: "Re: shared SSL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: alun@texis.com (Alun Jones) Date: Thu, 12 Dec 2002 12:05:34 GMT
In article <OvW3Z9aoCHA.1624@TK2MSFTNGP10>, "Thomas Deml [Msft]"
<thomad@online.microsoft.com> wrote:
>I have to agree that this is kind of unfortunate. As you already mentioned,
>IIS always routes to the first site configured for SSL on a particular IP
>address. The UI allows you to configure multiple SSL sites on the same IP,
>but IIS would never route requests to a second site. Not even wildcard certs
>(*.domainname.com) would help, because the routing to a particular site is
>done before the cert is used for decryption. IIS would have to evaluate the
>request twice before it routes:
>1) When the request comes in a cert has to be found for the IP:Port
>combination. The cert is used to decrypt the request.
>2) When the request is decrypted the host-header becomes available (it came
>in encrypted) - now IIS can route to a host-header based site.
Of course, once everyone implements the suggestions in
http://www.ietf.org/internet-drafts/draft-ietf-tls-extensions-05.txt, there
will be an alternative, since one of the suggestions in that draft is to
provide a ClientHello optional extension that describes the name of the server
being connected to, and thus allows the server to choose which server
certificate to return.
Any ideas when Microsoft is going to extend their TLS implementation, and the
SChannel API, to support this?
[Note: while the document is still a 'draft', the IESG is currently actively
considering making this into a Proposed Standard RFC]
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
-- Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at 1602 Harvest Moon Place | http://www.wftpd.com or email alun@texis.com Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.
- Next message: Rick: "IIS Integrated Auth will not work from 9X client"
- Previous message: Chris Curtis: "Problem with IISHelp"
- In reply to: Thomas Deml [Msft]: "Re: shared SSL"
- Next in thread: Daniel: "Re: shared SSL"
- Reply: Daniel: "Re: shared SSL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
