Re: SSL Host Headers IIS 6.0
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 11/17/05
- Next message: Guus Ellenkamp: "cname does not match"
- Previous message: David Wang [Msft]: "Re: Accessing remote files through IIS and web applications"
- In reply to: Jeniffer K: "SSL Host Headers IIS 6.0"
- Next in thread: Jeniffer K: "Re: SSL Host Headers IIS 6.0"
- Reply: Jeniffer K: "Re: SSL Host Headers IIS 6.0"
- Reply: Jeniffer K: "Re: SSL Host Headers IIS 6.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Nov 2005 21:11:15 -0800
You have two SSL sites with different certificates/identities. You will
either need two IPs or two Ports. I suggest two different IPs in your case
because if you change ports, you will likely need to change a lot of web
pages or do a lot of coding.
You will not be able to use one IP:Port for both SSL sites who have
different certificates. Think about it this way -- suppose you have:
- www.CompanyA.com host header resolves to IP1:www.CompanyA.com
- www.CompanyA.com website has its own SSL Certificate
- www.CompanyB.com host header resolves to IP1:www.CompanyB.com
- www.CompanyB.com website has its own SSL Certificate
Suppose someone makes the request https://www.CompanyA.com - which
translates into a request to IP1 over port 443 with host header
www.CompanyA.com. Now, how does IIS know whether to use www.CompanyA.com 's
SSL Certificate or www.CompanyB.com 's SSL Certificate to do the SSL
negotiation? The host header value is encrypted with SSL, so IIS has to
first complete SSL handshake with *some* SSL Server Certificate to decrypt
and get the host header... but which one? This is basically a by-design
catch-22.
Thus, the only way to have SSL work is:
1. Each website has distinct IP:Port and distinct SSL Certificate
2. Websites with identical IP:Port must have wildcard SSL Certificate that
covers the identity of each website
Since you have distinct SSL Certificate and no wildcard SSL Certificate
covers the identity of both your websites, you must pursue option #1. And
you are choosing distinct IP so you don't need to recode any web pages.
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Jeniffer K" <me@me.com> wrote in message news:%23gIIn8t6FHA.1184@TK2MSFTNGP12.phx.gbl... Today is the first time I've tried configuring a few sites with a cert and discovered that its not all that simple, I was under the assumption that its much like standard http on port 80 where it allows you to share the same IP by specifying a host headers with https on port 443 however it is an entirely different story, the site will fail to bind if two sites share the same port, I've searched and found the use of wildcard certificates but it's somewhat problematic for me because I have physical separate certificates for each site each site is an entirely different company, so how do I go about doing this?? also say I change the ssl port number for each site I want to secure, will I have to hard code the new port on each page that's linking to a secure page?? - please advice Thanks
- Next message: Guus Ellenkamp: "cname does not match"
- Previous message: David Wang [Msft]: "Re: Accessing remote files through IIS and web applications"
- In reply to: Jeniffer K: "SSL Host Headers IIS 6.0"
- Next in thread: Jeniffer K: "Re: SSL Host Headers IIS 6.0"
- Reply: Jeniffer K: "Re: SSL Host Headers IIS 6.0"
- Reply: Jeniffer K: "Re: SSL Host Headers IIS 6.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
