Solved

C# SSL IIS7 Problem

Posted on 2010-08-20
15
563 Views
Last Modified: 2012-05-10
I was created and installed a public SSL certificate to one of my websites in IIS7. I have now the problem that other websites are redirected to this, if anyone tries those domains with https://. This is extremely bad and causes me to remove the SSL until I found a solution,

Please help me with this.

First I though i could programically redirect the visitors by Global.Asax, but the SSL is of course being checked before any website-application-code are running.
0
Comment
Question by:dingir
  • 6
  • 3
  • 2
  • +1
15 Comments
 
LVL 8

Expert Comment

by:Wikkard
ID: 33482960
IIS can only listen on 1 IP address per SSL certificate. So you need to put all your non SSL websites on a different IP address.

0
 
LVL 1

Author Comment

by:dingir
ID: 33482968
I know, but how? And where are the work-arounds..
This is a VPS.. I don't know about ip adresses here.
0
 
LVL 8

Expert Comment

by:Wikkard
ID: 33483297
There isn't any workaround that I know of.

You simply need to get another public IP address from your ISP and assign ton your server.
You then need to reconfigure DNS for the websites you want to use the new IP.
Then configure IIS to use the new IP address (for the websites you want on the new IP).

0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Expert Comment

by:ykiran_kumar
ID: 33483489
In IIS7 you have to select the server name and then go to server certificates and  Install the certificate . Then you have to select the website and go to bindings and then select https and selct the certificte there itself. In this way you can bind https to your required web sites only.
0
 
LVL 1

Author Comment

by:dingir
ID: 33483527
Thank's for reply. It's superclear how I install the certficates, however the one and only cert will affect all domains if they are visited with https.

I feel there are no work-around. I readed something about ssl-headers that are per-site-based, but don't find correct or enough information about it.

I feel that's a very uncomfortable scenario. Like I can force a website to use SSL / 128 bit, i must also be able to FORCE a website to not use ssl, so if visited with https and don't correspond to the certficates URL, just bring it down to http scheme or drop the connection.. why not?
0
 

Expert Comment

by:ykiran_kumar
ID: 33483793
Then Probably you are running all your sites in IP based, try configuring the sites with host based configurations.

DId you created all your websites under default website as virtual directories?
0
 
LVL 1

Author Comment

by:dingir
ID: 33483851
Answer is no, on your second question,

what you mean with host based?
0
 
LVL 1

Author Comment

by:dingir
ID: 33498377
No more info about this?
0
 
LVL 37

Expert Comment

by:meverest
ID: 33594202
Hi,

the only way that I can think of that will hide the ssl site when someone uses a hostname that is used by a different site is to test for hostname on every page (like in a global.asa type script) and then redirect if it is not the hostname intended for that site, something like:

<script type="javascript">
if( document.domain != 'www.mysslsite.com') document.location.href='http://'+document.domain
</script>

add this code to the top of EVERY page in www.mysslsite.com, and then if someone happens to load it as (for example) https://www.othersite.com, then they will automatically jump to http://www.othersite.com

You might even be able to do it with an ISAPI redirect like isapiRewrite or IIS URLrewrite module which would let you do it without javascript (and without needing to modify every page) but a) I'm not sure if it will work, and b) it is easier to do it with javascript if you have a global script you can stick it into!

Cheers!
0
 
LVL 1

Author Comment

by:dingir
ID: 33594965
Thank's.

I tried the global, but the iis website content aren't loaded at all at the time of checking the ssl state. It will check the valid state and then redirect to the url of ssl certificate.

Maybe wildcard ssl could be used, referring the user to a subdomain of the ssl certificate and redirect from there...

I feel all this like: You need an own ip to each ssl sites & non-ssl sites if using IIS.
0
 
LVL 37

Expert Comment

by:meverest
ID: 33595795
Hi,

>> I tried the global, but the iis website content aren't loaded at all at the time of checking the ssl state. It will check the valid state and then redirect to the url of ssl certificate.

Oh... right - I didn;t understand what you meant by this:

>> redirect the visitors by Global.Asax, but the SSL is of course being checked before any website-application-code are running.

until now - I understand now that you are concerned that the end user sees a message about certificate does not match the domain, right?  But if the ssl site is not relevant to the site that the user is attempting to access, does it really matter about that?  The only way that a user will see that message is if they accidentally (or intentionally!) enter https://someothersite instead of http...  So if there is no https site existing for that site, why do you care that it shows a message?

And now I also agree with previous comments of other experts (sorry all, for missing the POINT! ;-)

There is no way that you can avoid that warning.  reason: that warning is a function of the client browser, and the server side has absolutely no bearing on that behaviour.

Always remember this about SSL and host headers:

when the ssl connection is made, the session is encrypted.  The host header (i.e. which web site hostname is requested) is also encrypted.  The server must first decrypt the content to discover what web site to load.  But the server must select a certificate to decrypt the content.  catch22 - how can the server select which certificate if it doesn't yet know what host header is in the request?  answer: it can only select the certificate based on the IP address and port that it receives the connection on, because that is the only detail 'in the clear' (other than the CLIENT IP address and port, of course)

So when a client sends an (encrypted) request for https://www.site1.com, and gets a reply from the server saying 'this is the encyption key for https://www.site2.com, then the browser baulks with what is essentially "HEY!  I want to access site1, but this server says it is site2!  Something dodgy is going on here!" ;-)

Sorry, but sometimes the 'correct' answer to a question like "how can i..." is quite simply "you can't" :-}

wildcard ssl - YES, you can do that but all web sites must share a common domain, like www.site1.com, site2.site1.com, site3.site1.com, ...

in which case you can do normal host header assignment using IIS bindings:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/iis/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true

Cheers!
0
 
LVL 1

Author Comment

by:dingir
ID: 33596027
Hi

Thank's. A lot of info. Bot interesting and also some that aren't fully correct understanded.

I'm not concerned that users see a warning message.

I have an iis with several standard http websites

www.domain1.com
www.domain2.com
www.domain3.com
www.domain4.com

But know, I want to add a SSL / https to www.domain3.com

Which make domain3.com works with ssl.
I also forse http users redirected into https if they try to visit http (global.asax).

The problem IS, that when SSL is exist, users (without any knowledge about the existens of https://www.domain3.com) WILL try https://www.domain1.com, https://www.domain2.com and https://www.domain4.com.

They recieve the error message, think "what the hell, is this place unsafe?". Some of them who dare to continue, will land on the iis website that have the ssl-certificate attached. Which means WRONG site. They visit domain4.com and landing on domain3.com.

Verrrryyy poooor design......
0
 
LVL 37

Accepted Solution

by:
meverest earned 500 total points
ID: 33596279
Hi,

OK, so I think you are clarifying what I originally thought you meant.

So,

>> But know, I want to add a SSL / https to www.domain3.com

straight out, no ifs no buts: you CAN NOT do it.  ssl certs are locked to the domain -> *.domain.com and only one cert can be applied to one IP address (and port - i.e. 443)

You can do it with SUBDOMAIN (www.domain1.com, domain2.domain1.com, domain3.domain1.com...)

You can do it with different port, e.g: https://www.domain1.com, https://www.domain2.com:444, https://www.domain3.com:445, ...

but you can't do it otherwise.

>> I also force http users redirected into https if they try to visit http (global.asax).

in which case you may like to try including the port definition (444, 445, etc as above) in the redirect.

>> I'm not concerned that users see a warning message.

Then you can still use my original scheme to work around this.

if a user tries to access https://www.domain2.com, then get the error message.  Those who dare to continue will be redirected to http://www.domain2.com, and if you have your redirection happening to force to ssl, then force them to https://www.domain2.com:444 - all good

So the result will be that an error is displayed ONLY when someone intentionally (manually by hand) enters the https://www.domain2.com into the web browser (i/e/ without the :444 on the end) and even then, the correct site is displayed in the end - they should never see the http://www.domain1.com content - or only for a flash of a split second if at all)

>> Verrrryyy poooor design......

are you referring to the web server design?  It's not a software issue - it's a protocol limitation, for all the reasons (catch22) that I explained above.  It is therefore a limitation shared by /all/ web server implementations, not just IIS.

Cheers!
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question