Channel 9 Forums - Tech Off - IIS, SSL Certificates, and hostheaders

Tech Off - IIS, SSL Certificates, and hostheaders

W3bbo — Mon, 31 Dec 2007 21:33:32 GMT

Suppose you've got an SSL certificate for "foo.com" and you've got an IIS website which serves requests for both "www.foo.com" and "foo.com"

Now any request for "https://www.foo.com" would give errors since the cert was issued to foo.com and not www.foo.com.

What's the best way around this besides ordering a Wildcard SSL certificate? Is there any way to get IIS to automatically redirect all requests to www.foo.com to foo.com or something?

Or if I've got 2 certificates, one for "www.foo.com" and one for "foo.com" is there any way to make them work together for the same website?

Tech Off - IIS, SSL Certificates, and hostheaders

Matthew van Eerde — Mon, 31 Dec 2007 23:46:41 GMT

Yes - you can configure multiple IP addresses on the server and have foo.com and www.foo.com bind to different IP addresses.

As I understand common-or-garden SSL, the security is put in place before the Host: header is available, so the header cannot be used to to determine which certificate is appropriate. TLS avoids this issue, but I'm not sure how.

Tech Off - IIS, SSL Certificates, and hostheaders

W3bbo — Tue, 01 Jan 2008 01:47:06 GMT

Matthew van Eerde wrote:

Yes - you can configure multiple IP addresses on the server and have foo.com and www.foo.com bind to different IP addresses.

Not really an option, I've only got 1 IP address.

But for now it'll have to do until I can afford a wildcard cert. Ah well.

Tech Off - IIS, SSL Certificates, and hostheaders

Matthew van Eerde — Tue, 01 Jan 2008 18:54:24 GMT

Another option is to use a non-default port for the second SSL binding... you'll have to use URLs of the form https://foo.com:1337/ but the security will be preserved.

Tech Off - IIS, SSL Certificates, and hostheaders

W3bbo — Tue, 01 Jan 2008 19:29:39 GMT

Matthew van Eerde wrote:

Another option is to use a non-default port for the second SSL binding... you'll have to use URLs of the form https://foo.com:1337/ but the security will be preserved.

That's not what I'm after though.

My cert is for "foo.com", and that's it. Yet people expect websites to be at "www.foo.com". The same virtual server serves requests for both "foo.com" and "www.foo.com". Since the host-headers are different than the cert my visitors get a warning.

I'm trying to eradicate the warning I can get a second SSL for "www.foo.com" in addition to my cert for "foo.com", but I can't see if/where/how IIS supports multiple certs per single instance of a virtual server.

Tech Off - IIS, SSL Certificates, and hostheaders

Dorian Muthig — Wed, 02 Jan 2008 00:44:52 GMT

Hmmm you could try to redirect without even sending out the SSL certificate, and on the destination use SSL again.

So basically you'd have a non SSL vhost answering at port 443 and redirecting to the other vhost.

Tech Off - IIS, SSL Certificates, and hostheaders

Jorgie — Wed, 02 Jan 2008 04:56:35 GMT

Host headers cannot be used for SSL because the setup of the SSL connection takes place when only the requested IP address is available to IIS.

The best you can do with a single IP address is set up a non-SSL website for the host header www.foo.com and have it redirect to https://foo.com

This will work fine if people type www.foo.com in their browser as long as they dont type the HTTPS in front.

BTW the option you want is: "A permanent redirection for this resource"

Jorgie