Re: multiple SSL sites on single IP/port
From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 03/24/05
- Next message: Bernard: "Re: how do i disable anonymous users and add a new user?"
- Previous message: Chris Weber [Security MVP]: "Re: OWA Exploit"
- In reply to: yaponamat: "Re: multiple SSL sites on single IP/port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Mar 2005 10:45:12 +0800
Yes, from your description because the host header detail is encrypted,
hence SSL will not click with host header, there's a new RFC spec which
support host header with SSL, I don't have the rfc number now.
Anyway - I tested this years ago. what you can do is:
-setup each site with the same ip/port + different host header a.bla.com,
b.bla.com, etc
-make sure cert is associate with each site
-make sure port 443 is assign in each site
-do a netstat -ano, and make sure port 443 is binding to the IP.
then browse https://a.bla.com/ https://b.bla.com/
why this would work because, when you refer to https://b.bla.com/ it is
actually using the cert copy at site 1 (a.bla.com), and since the common
name is *.bla.com, you will not get the cert alert prompt.
-- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ "yaponamat" <yaponamat@discussions.microsoft.com> wrote in message news:22EC8BEA-889D-4619-807F-FAB5EF46FA22@microsoft.com... > Bernard, > > thanks for your reply. yes, the cert is configured for all websites and I > can view it under 2nd or 3rd site`s directory security. > > However, the stuff doesn`t work on single ip/port combination. it would > load > one site`s content only. here`s a good explanation of the process I found > in > this newsgroup: > > --------------------------------------------------------- > Here's a quick description, to demonstrate why: > > 1. The client takes the URL and resolves the name into an IP address, and > a > port (usually a default port). > 2. The client connects to that IP address, on the requested port > 3. The server running at that IP address and port answers. > 4. The client sends a "hello" message, asking the server to send its > certificate. > 5. The server sends the certificate to the client. > 6. The client checks the name in the certificate against the name it had > in > step 1. > 7.1. If the certificate matches, the client and server start encrypted > exchanges. > 7.2. If the certificate doesn't match, the client displays an error to the > user and stops. > 8. The client sends HTTP request headers, encrypted, to the server. > 9. The server sends back HTTP responses, encrypted, containing content > requested. > > Note that host headers are sent in step 8, but the server has to pick a > certificate to send in step 5, and that certificate must have the server > name that the user asked for. The server has no clue as to which > certificate it must pick, so it must have a single certificate to send > back > on that IP address and port. > > There is work under way to produce a "next version" of TLS, that will > allow > a client to send the host name it wants in step 4, so that the server can > choose among several certificates, but it is not clear exactly when (if > ever) this will be implemented in browsers or web servers - and it has to > be > implemented, and enabled, in both if it is to work. > ---------------------------------------------------------------------------------------- > > I`m still curious whether it`s possible to get it to work with wildcard > certificate... > > > "Bernard" wrote: > >> Sharepoint is just webapp sitting on IIS, and I tested wildcard before >> and >> it works. >> Did you configure the cert in 2nd or 3rd sites as well ? >> >> at the 2nd site property, directory security tab. can you view the >> certificate ? >> >> -- >> Regards, >> Bernard Cheah >> http://www.tryiis.com/ >> http://support.microsoft.com/ >> http://www.msmvps.com/bernard/ >> >> >> "yaponamat" <yaponamat@discussions.microsoft.com> wrote in message >> news:D2D37BFC-3D3A-4EC4-95C8-F9B80A143F90@microsoft.com... >> > Hello, >> > >> > I`d appreciate help with the following scenario: >> > >> > I have a Sharepoint installation, obviously on top of IIS. We generated >> > several sites via Sharepoint, that are accessible as third level >> > domains: >> > home.ourdomain.com project1.ourdomain.com, project2.ourdomain.com etc. >> > They >> > are all hosted out of one IIS server, DNS for all these domains points >> > to >> > IIS >> > server and then IIS determines which site to present to end users based >> > on >> > host headers. >> > >> > We would like to enable SSL on all of these sites. However, there is >> > the >> > known requirement for unique ip/port combination for each secure site. >> > Hosting SSL on alternate ports for each site is not an option for us, >> > so >> > we >> > are faced with assigning multiple IPs to the IIS server, creating NAT >> > entries >> > on the firewall for each IP, registering A records for each individual >> > domain >> > and pointing them to different IPs – a lot of admin nad >> > maintenance >> > overhead. >> > >> > Now, I read here: >> > http://www.sitepoint.com/forums/showthread.php?t=231424 >> > about a possible solution with using wildcard certificates: >> > >> > “Another, more expensive (but reliable) alternative is to have a >> > wildcard >> > ssl and offer sub-domains that share the same SSL certificate, in this >> > situation you do not have to buy additional IP addresses (but have to >> > pay >> > a >> > lot for these certificates)!†>> > >> > We do have a wildcard certificate for our root domain *.ourdomain.com. >> > All >> > the websites under IIS are using this wildcard certificate. As per >> > proposed >> > solution quoted above, we should be able to skip using multiple IPs. >> > However, >> > it doesn`t seem to work: if I specify default 443 port for two SSL >> > websites >> > and set IP to either “default†or the primary IP of the >> > server for >> > both of >> > them, when I try to load home.ourdomain.com over SSL it does load, but >> > then >> > if I try project1.ourdomain.com over SSL, it loads home.ourdomain.com >> > content >> > instead. There are separate A records for home.ourdomain.com and >> > project1.ourdomain.com, both pointing to the same IP. >> > >> > Could someone please tell if wildcard certificate solution is of any >> > help >> > as >> > claimed on this forum: >> > http://www.sitepoint.com/forums/showthread.php?t=231424 >> > >> > If it does help to work around assigning multiple IPs to the IIS >> > server, >> > what might I be doing wrong? >> > >> > If wildcard certificate deal doesn`t help, are there any alternatives, >> > perhaps plugins by third parties or something like that? I`d very much >> > like >> > to avoid having multiple IPs, since we may have 40 or 50 different >> > third >> > level domain based websites under Sharepoint and managing all of this >> > is a >> > bit of a pain. >> > >> > Thanks in advance for any help. >> > >> >> >>
- Next message: Bernard: "Re: how do i disable anonymous users and add a new user?"
- Previous message: Chris Weber [Security MVP]: "Re: OWA Exploit"
- In reply to: yaponamat: "Re: multiple SSL sites on single IP/port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
