Does anyone know if it is possible to host multiple SSL domains on a single IP in IIS 7? I know this was impossible in version 6, would be great if this is now possible. Any info appreciated.
Yes/No, SSL support in IIS 7 and 6 should be the same. and you will be able to use wildcard SSL for multiple site on a single ip with the condition that all sites are sharing the same root domain.
Hey-
Bernard is correct that in IIS7 that it will support wildcard certs for multiple SSL support. However, like IIS 6, the IIS Manager for IIS7 doesn't support configuring IIS7 using SSL & Host Headers. Thus, the same approach as was used in IIS 6 would be used
with slight modifications to the actual utility. For example, instead of using adsutil.vbs to set the configuration property SecureBindings you would use AppCmd or Microsoft.Web.Administration for the <sites> collection's bindings. If you can't figure this
out, let us know and I am happy to test and give back the sample...
Thanks,
~Chris
Program Manager
IIS Product Unit (Microsoft)
I have problems even with one SSL-enabled site. If I enable SSL with for example contoso1.com, https://contoso1.com works fine. But requests for other sites like https://contoso2.com, https://contoso3.com and so on ( assuming I have multiple sites contoso1.com,
contoso2.com ... hosted by IIS ) return the same page https://contoso1.com. Of course these requests should never come in in the first place. But anyway is it possible to configure IIS to return something like 404 for those requests?
You can configure the SSL binding of the web-site to take a host-header - I do not remember whether the UI allows you to do that, but you can definitely do it by directly editing configuration.
Anil Ruia
Software Design Engineer
IIS Core Server
Unless something has changed in the most recent release of the UI, Host Header & SSL support (SecureBindings) isn't supported in the UI. Just adding that since Anil commented...
-Chris
~Chris
Program Manager
IIS Product Unit (Microsoft)
And it shows up in Bindings in UI but is not editable.
Some minor problems still persist. An http :80 request with wrong Host Header never goes to the site. But an https :443 request with wrong Host Header still goes through to the site. The brower reports certificate error, I can view certificate details and
only after I hit "Proceed to the site - Not recommended" I receive 404 response.
Not a big deal but some clients can get disappointed.
Any ideas? I think I can write an HttpModule to check for wrong Host Header - now it is possible to do using .NET - great. That's only a couple lines of code.
The request is not going to the site - it is being rejected by http.sys as soon as it sees the host header - but that happens after the SSL negotiation which is why you see the bad certificate thing on the client.
Anil Ruia
Software Design Engineer
IIS Core Server
There is nothing you can do - SSL negotiation has to happen before the serve knows which hostname the client is interested in - and the only thing the server knows before that is the IP address.
Anil Ruia
Software Design Engineer
IIS Core Server
lonewolfaz
2 Posts
IIS 7 & SSL
Jun 02, 2007 02:54 AM|LINK
Does anyone know if it is possible to host multiple SSL domains on a single IP in IIS 7? I know this was impossible in version 6, would be great if this is now possible. Any info appreciated.
qbernard
5016 Posts
MVP
Moderator
Re: IIS 7 & SSL
Jun 05, 2007 04:31 AM|LINK
Yes/No, SSL support in IIS 7 and 6 should be the same. and you will be able to use wildcard SSL for multiple site on a single ip with the condition that all sites are sharing the same root domain.
Bernard Cheah
chrisad
289 Posts
Re: IIS 7 & SSL
Aug 03, 2007 07:42 AM|LINK
Hey-
Bernard is correct that in IIS7 that it will support wildcard certs for multiple SSL support. However, like IIS 6, the IIS Manager for IIS7 doesn't support configuring IIS7 using SSL & Host Headers. Thus, the same approach as was used in IIS 6 would be used with slight modifications to the actual utility. For example, instead of using adsutil.vbs to set the configuration property SecureBindings you would use AppCmd or Microsoft.Web.Administration for the <sites> collection's bindings. If you can't figure this out, let us know and I am happy to test and give back the sample...
Thanks,
Program Manager
IIS Product Unit (Microsoft)
ashayderov
9 Posts
Re: IIS 7 & SSL
Nov 24, 2007 07:00 PM|LINK
Hi
I have problems even with one SSL-enabled site. If I enable SSL with for example contoso1.com, https://contoso1.com works fine. But requests for other sites like https://contoso2.com, https://contoso3.com and so on ( assuming I have multiple sites contoso1.com, contoso2.com ... hosted by IIS ) return the same page https://contoso1.com. Of course these requests should never come in in the first place. But anyway is it possible to configure IIS to return something like 404 for those requests?
Thanks
IIS SSL
anilr
2343 Posts
Microsoft
Re: IIS 7 & SSL
Nov 26, 2007 06:06 PM|LINK
You can configure the SSL binding of the web-site to take a host-header - I do not remember whether the UI allows you to do that, but you can definitely do it by directly editing configuration.
Software Design Engineer
IIS Core Server
chrisad
289 Posts
Re: IIS 7 & SSL
Nov 26, 2007 07:07 PM|LINK
Unless something has changed in the most recent release of the UI, Host Header & SSL support (SecureBindings) isn't supported in the UI. Just adding that since Anil commented...
-Chris
Program Manager
IIS Product Unit (Microsoft)
ashayderov
9 Posts
Re: IIS 7 & SSL
Nov 26, 2007 08:23 PM|LINK
Thank you for your prompt reply
That's right, I edited configuration manually. Turns out it's not a big deal :-)
Now it looks like
<div class="c" style="margin-left: 1em; text-indent: -2em;">- <bindings></div> <div> <div class="e"> <div style="margin-left: 1em; text-indent: -2em;"> <binding protocol="http" bindingInformation="*:80:contoso.com" /> </div></div> <div class="e"> <div style="margin-left: 1em; text-indent: -2em;"> <binding protocol="https" bindingInformation="*:443:contoso.com" /> </div></div> <div></bindings></div></div>And it shows up in Bindings in UI but is not editable.
Some minor problems still persist. An http :80 request with wrong Host Header never goes to the site. But an https :443 request with wrong Host Header still goes through to the site. The brower reports certificate error, I can view certificate details and only after I hit "Proceed to the site - Not recommended" I receive 404 response.
Not a big deal but some clients can get disappointed.
Any ideas? I think I can write an HttpModule to check for wrong Host Header - now it is possible to do using .NET - great. That's only a couple lines of code.
Thank you again
Art
anilr
2343 Posts
Microsoft
Re: IIS 7 & SSL
Nov 26, 2007 08:30 PM|LINK
The request is not going to the site - it is being rejected by http.sys as soon as it sees the host header - but that happens after the SSL negotiation which is why you see the bad certificate thing on the client.
Software Design Engineer
IIS Core Server
ashayderov
9 Posts
Re: IIS 7 & SSL
Nov 26, 2007 09:38 PM|LINK
So what do you think? Is there something I can do with this certificate thing?
Http Module is not a solution. I can not insert it into or before SSL negotiation. Right?
anilr
2343 Posts
Microsoft
Re: IIS 7 & SSL
Nov 27, 2007 04:16 PM|LINK
There is nothing you can do - SSL negotiation has to happen before the serve knows which hostname the client is interested in - and the only thing the server knows before that is the IP address.
Software Design Engineer
IIS Core Server