We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

TLS Server Name Indation SupportRSS

10 replies

Last post Jan 07, 2010 11:06 AM by mcassman

  • TLS Server Name Indation Support

    Oct 20, 2009 02:45 AM|Cheetah1980|LINK

    We want IIS to support TLS Server Name Indication, because we want to host multiple secure websites with different certificates on a single ip-address. TLS SNI: http://en.wikipedia.org/wiki/Server_Name_Indication
  • Re: TLS Server Name Indation Support

    Oct 20, 2009 02:07 PM|anilr|LINK

    This feature is under consideration for the next release of windows.

    Anil Ruia
    Software Design Engineer
    IIS Core Server
  • Re: TLS Server Name Indation Support

    Oct 20, 2009 05:31 PM|Cheetah1980|LINK

    Okay, thanks for the quick reply. In the mean time we'll use Linux and OpenSSL.
  • Re: TLS Server Name Indation Support

    Oct 21, 2009 08:14 AM|jeff@zina.com|LINK

    If you absolutely need multiple certs for sites using a single IP then Linux is your best (perhaps only) option.  I'm of the opinion that sites on a single IP shouldn't be using separate certs, but I've also always resisted using multiple sites on a single IP whenever possible.  I understand that in some situations you have no choice.

    Jeff

    Have you Binged a solution before posting?
  • Re: TLS Server Name Indation Support

    Oct 22, 2009 02:15 PM|anilr|LINK

    I had a query regarding that - are you seeing that most of clients connecting to your site support TLS SNI?  One reason for the delay for implementing this in server-side in windows has been the belief that the percentage of clients supporting this is still low (even though latest versions of IE and firefox support it).

    Anil Ruia
    Software Design Engineer
    IIS Core Server
  • Re: TLS Server Name Indation Support

    Nov 03, 2009 02:41 PM|Cheetah1980|LINK

    We need SNI not because we have clients connecting with SSL but because we have to host almost a thousand unique webservers (SOAP XML HL7v3 services) with their own FQDN and SSL certificate on a win2008 IIS7 server for incoming SSL connections from other servers. Without SNI this means we need a unique IP-adress per FQDN/SSL-cert, with SNI we could host all the sites on 1 IP. It’s obvious that 1 IP-adress for incoming SSL services is a lot more efficient and easier to maintain and configure. Add to that that all IP traffic is routed over firewalls and private (healthcare) networks, and it’s even more obvious that one single IP compared to almost a thousand is a BIG difference. For now we’ve put a dedicated Linux OpenSSL server between the Win2008 host and the network to handle the incoming SSL traffic. We hope SNI will be introduced in the near future.
  • Re: TLS Server Name Indation Support

    Nov 03, 2009 02:48 PM|Radek.Hulan|LINK

    1 IP-adress for incoming SSL services is a lot more efficient and easier to maintain

    And cheaper as well. You usually get 1 to 5 IP addresses, not unlimited number of them, and you have to purchase additional ones separately.

    Not to mention running out of IP4 addresses.

  • Re: TLS Server Name Indation Support

    Nov 24, 2009 12:54 AM|mcassman|LINK

    Does the content of this article accomplish what you (we) need?

    I have an immediate need to run multiple ssl sites on a single ip and was counting on this document to pull everything together.

    http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8d9f2a8f-cd23-448c-b2c7-f4e87b9e2d2c.mspx?mfr=true

     

     

     

  • Re: TLS Server Name Indation Support

    Dec 07, 2009 04:12 AM|Cheetah1980|LINK

    No, this doesn't solve the problem.
  • Re: TLS Server Name Indation Support

    Jan 07, 2010 10:52 AM|CFH IT|LINK

    We also really need this featue in order to host multiple sites in an efficient way.

    Can it really be true that MS has no plans to support this before the next major relase of a Windows Server OS?

    SNI is supported on the client side by everybody using Firefox (2 and up), Safari on Mac OS X and everybody using Windows Vista and up.

    I guess the main reason that there has been some vailidity in the claim about lacking client side support, has been the complete failure in getting the corporate world to accept Windows Vista (due to it's ridicolous resource usage). But hopefully Windows 7 will fare much better, which then should eliminate the problems with client side support.

    The above statement is just another way of stating that I don't understand why this isn't supported in IIS, when you do support it on the client side...

     

  • Re: TLS Server Name Indation Support

    Jan 07, 2010 11:06 AM|mcassman|LINK

    Here is what worked for me in IIS 6.

     1) Configure host header names on 443 for IIS. I recommend scripting it because it won't be the last time you run this cmd.

    cscript.exe adsutil.vbs set /w3svc/<replace with your site id>/SecureBindings ":443:www.domain1.com"
    cscript.exe adsutil.vbs set /w3svc/1709n76999/SecureBindings ":443:www.domain2.com"
    cscript.exe adsutil.vbs set /w3svc/108937373/SecureBindings ":443:www.domain3.com"
    cscript.exe adsutil.vbs set /w3svc/2299387888/SecureBindings ":443:www.domain4.com"
    cscript.exe adsutil.vbs set /w3svc/1838j33838/SecureBindings ":443:www.domain5.com"

     

    2) Install a UCC certificate from DigiCert. Don't worry about all the references to Exchange on this page.  The common name is for www.domain1.com and all the others are added when you submit the .csr

    http://www.digicert.com/unified-communications-ssl-tls.htm