Solved

C# SSL IIS7 Problem

Posted on 2010-08-20
15
558 Views
Last Modified: 2012-05-10
I was created and installed a public SSL certificate to one of my websites in IIS7. I have now the problem that other websites are redirected to this, if anyone tries those domains with https://. This is extremely bad and causes me to remove the SSL until I found a solution,

Please help me with this.

First I though i could programically redirect the visitors by Global.Asax, but the SSL is of course being checked before any website-application-code are running.
0
Comment
Question by:dingir
  • 6
  • 3
  • 2
  • +1
15 Comments
 
LVL 8

Expert Comment

by:Wikkard
ID: 33482960
IIS can only listen on 1 IP address per SSL certificate. So you need to put all your non SSL websites on a different IP address.

0
 
LVL 1

Author Comment

by:dingir
ID: 33482968
I know, but how? And where are the work-arounds..
This is a VPS.. I don't know about ip adresses here.
0
 
LVL 8

Expert Comment

by:Wikkard
ID: 33483297
There isn't any workaround that I know of.

You simply need to get another public IP address from your ISP and assign ton your server.
You then need to reconfigure DNS for the websites you want to use the new IP.
Then configure IIS to use the new IP address (for the websites you want on the new IP).

0
 

Expert Comment

by:ykiran_kumar
ID: 33483489
In IIS7 you have to select the server name and then go to server certificates and  Install the certificate . Then you have to select the website and go to bindings and then select https and selct the certificte there itself. In this way you can bind https to your required web sites only.
0
 
LVL 1

Author Comment

by:dingir
ID: 33483527
Thank's for reply. It's superclear how I install the certficates, however the one and only cert will affect all domains if they are visited with https.

I feel there are no work-around. I readed something about ssl-headers that are per-site-based, but don't find correct or enough information about it.

I feel that's a very uncomfortable scenario. Like I can force a website to use SSL / 128 bit, i must also be able to FORCE a website to not use ssl, so if visited with https and don't correspond to the certficates URL, just bring it down to http scheme or drop the connection.. why not?
0
 

Expert Comment

by:ykiran_kumar
ID: 33483793
Then Probably you are running all your sites in IP based, try configuring the sites with host based configurations.

DId you created all your websites under default website as virtual directories?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Author Comment

by:dingir
ID: 33483851
Answer is no, on your second question,

what you mean with host based?
0
 
LVL 1

Author Comment

by:dingir
ID: 33498377
No more info about this?
0
 
LVL 37

Expert Comment

by:meverest
ID: 33594202
Hi,

the only way that I can think of that will hide the ssl site when someone uses a hostname that is used by a different site is to test for hostname on every page (like in a global.asa type script) and then redirect if it is not the hostname intended for that site, something like:

<script type="javascript">
if( document.domain != 'www.mysslsite.com') document.location.href='http://'+document.domain
</script>

add this code to the top of EVERY page in www.mysslsite.com, and then if someone happens to load it as (for example) https://www.othersite.com, then they will automatically jump to http://www.othersite.com

You might even be able to do it with an ISAPI redirect like isapiRewrite or IIS URLrewrite module which would let you do it without javascript (and without needing to modify every page) but a) I'm not sure if it will work, and b) it is easier to do it with javascript if you have a global script you can stick it into!

Cheers!
0
 
LVL 1

Author Comment

by:dingir
ID: 33594965
Thank's.

I tried the global, but the iis website content aren't loaded at all at the time of checking the ssl state. It will check the valid state and then redirect to the url of ssl certificate.

Maybe wildcard ssl could be used, referring the user to a subdomain of the ssl certificate and redirect from there...

I feel all this like: You need an own ip to each ssl sites & non-ssl sites if using IIS.
0
 
LVL 37

Expert Comment

by:meverest
ID: 33595795
Hi,

>> I tried the global, but the iis website content aren't loaded at all at the time of checking the ssl state. It will check the valid state and then redirect to the url of ssl certificate.

Oh... right - I didn;t understand what you meant by this:

>> redirect the visitors by Global.Asax, but the SSL is of course being checked before any website-application-code are running.

until now - I understand now that you are concerned that the end user sees a message about certificate does not match the domain, right?  But if the ssl site is not relevant to the site that the user is attempting to access, does it really matter about that?  The only way that a user will see that message is if they accidentally (or intentionally!) enter https://someothersite instead of http...  So if there is no https site existing for that site, why do you care that it shows a message?

And now I also agree with previous comments of other experts (sorry all, for missing the POINT! ;-)

There is no way that you can avoid that warning.  reason: that warning is a function of the client browser, and the server side has absolutely no bearing on that behaviour.

Always remember this about SSL and host headers:

when the ssl connection is made, the session is encrypted.  The host header (i.e. which web site hostname is requested) is also encrypted.  The server must first decrypt the content to discover what web site to load.  But the server must select a certificate to decrypt the content.  catch22 - how can the server select which certificate if it doesn't yet know what host header is in the request?  answer: it can only select the certificate based on the IP address and port that it receives the connection on, because that is the only detail 'in the clear' (other than the CLIENT IP address and port, of course)

So when a client sends an (encrypted) request for https://www.site1.com, and gets a reply from the server saying 'this is the encyption key for https://www.site2.com, then the browser baulks with what is essentially "HEY!  I want to access site1, but this server says it is site2!  Something dodgy is going on here!" ;-)

Sorry, but sometimes the 'correct' answer to a question like "how can i..." is quite simply "you can't" :-}

wildcard ssl - YES, you can do that but all web sites must share a common domain, like www.site1.com, site2.site1.com, site3.site1.com, ...

in which case you can do normal host header assignment using IIS bindings:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/iis/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true

Cheers!
0
 
LVL 1

Author Comment

by:dingir
ID: 33596027
Hi

Thank's. A lot of info. Bot interesting and also some that aren't fully correct understanded.

I'm not concerned that users see a warning message.

I have an iis with several standard http websites

www.domain1.com
www.domain2.com
www.domain3.com
www.domain4.com

But know, I want to add a SSL / https to www.domain3.com

Which make domain3.com works with ssl.
I also forse http users redirected into https if they try to visit http (global.asax).

The problem IS, that when SSL is exist, users (without any knowledge about the existens of https://www.domain3.com) WILL try https://www.domain1.com, https://www.domain2.com and https://www.domain4.com.

They recieve the error message, think "what the hell, is this place unsafe?". Some of them who dare to continue, will land on the iis website that have the ssl-certificate attached. Which means WRONG site. They visit domain4.com and landing on domain3.com.

Verrrryyy poooor design......
0
 
LVL 37

Accepted Solution

by:
meverest earned 500 total points
ID: 33596279
Hi,

OK, so I think you are clarifying what I originally thought you meant.

So,

>> But know, I want to add a SSL / https to www.domain3.com

straight out, no ifs no buts: you CAN NOT do it.  ssl certs are locked to the domain -> *.domain.com and only one cert can be applied to one IP address (and port - i.e. 443)

You can do it with SUBDOMAIN (www.domain1.com, domain2.domain1.com, domain3.domain1.com...)

You can do it with different port, e.g: https://www.domain1.com, https://www.domain2.com:444, https://www.domain3.com:445, ...

but you can't do it otherwise.

>> I also force http users redirected into https if they try to visit http (global.asax).

in which case you may like to try including the port definition (444, 445, etc as above) in the redirect.

>> I'm not concerned that users see a warning message.

Then you can still use my original scheme to work around this.

if a user tries to access https://www.domain2.com, then get the error message.  Those who dare to continue will be redirected to http://www.domain2.com, and if you have your redirection happening to force to ssl, then force them to https://www.domain2.com:444 - all good

So the result will be that an error is displayed ONLY when someone intentionally (manually by hand) enters the https://www.domain2.com into the web browser (i/e/ without the :444 on the end) and even then, the correct site is displayed in the end - they should never see the http://www.domain1.com content - or only for a flash of a split second if at all)

>> Verrrryyy poooor design......

are you referring to the web server design?  It's not a software issue - it's a protocol limitation, for all the reasons (catch22) that I explained above.  It is therefore a limitation shared by /all/ web server implementations, not just IIS.

Cheers!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This article is for Object-Oriented Programming (OOP) beginners. An Interface contains declarations of events, indexers, methods and/or properties. Any class which implements the Interface should provide the concrete implementation for each Inter…
Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now