[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

C# SSL IIS7 Problem

Posted on 2010-08-20
15
Medium Priority
?
568 Views
Last Modified: 2012-05-10
I was created and installed a public SSL certificate to one of my websites in IIS7. I have now the problem that other websites are redirected to this, if anyone tries those domains with https://. This is extremely bad and causes me to remove the SSL until I found a solution,

Please help me with this.

First I though i could programically redirect the visitors by Global.Asax, but the SSL is of course being checked before any website-application-code are running.
0
Comment
Question by:dingir
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
15 Comments
 
LVL 8

Expert Comment

by:Wikkard
ID: 33482960
IIS can only listen on 1 IP address per SSL certificate. So you need to put all your non SSL websites on a different IP address.

0
 
LVL 1

Author Comment

by:dingir
ID: 33482968
I know, but how? And where are the work-arounds..
This is a VPS.. I don't know about ip adresses here.
0
 
LVL 8

Expert Comment

by:Wikkard
ID: 33483297
There isn't any workaround that I know of.

You simply need to get another public IP address from your ISP and assign ton your server.
You then need to reconfigure DNS for the websites you want to use the new IP.
Then configure IIS to use the new IP address (for the websites you want on the new IP).

0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 

Expert Comment

by:ykiran_kumar
ID: 33483489
In IIS7 you have to select the server name and then go to server certificates and  Install the certificate . Then you have to select the website and go to bindings and then select https and selct the certificte there itself. In this way you can bind https to your required web sites only.
0
 
LVL 1

Author Comment

by:dingir
ID: 33483527
Thank's for reply. It's superclear how I install the certficates, however the one and only cert will affect all domains if they are visited with https.

I feel there are no work-around. I readed something about ssl-headers that are per-site-based, but don't find correct or enough information about it.

I feel that's a very uncomfortable scenario. Like I can force a website to use SSL / 128 bit, i must also be able to FORCE a website to not use ssl, so if visited with https and don't correspond to the certficates URL, just bring it down to http scheme or drop the connection.. why not?
0
 

Expert Comment

by:ykiran_kumar
ID: 33483793
Then Probably you are running all your sites in IP based, try configuring the sites with host based configurations.

DId you created all your websites under default website as virtual directories?
0
 
LVL 1

Author Comment

by:dingir
ID: 33483851
Answer is no, on your second question,

what you mean with host based?
0
 
LVL 1

Author Comment

by:dingir
ID: 33498377
No more info about this?
0
 
LVL 37

Expert Comment

by:meverest
ID: 33594202
Hi,

the only way that I can think of that will hide the ssl site when someone uses a hostname that is used by a different site is to test for hostname on every page (like in a global.asa type script) and then redirect if it is not the hostname intended for that site, something like:

<script type="javascript">
if( document.domain != 'www.mysslsite.com') document.location.href='http://'+document.domain
</script>

add this code to the top of EVERY page in www.mysslsite.com, and then if someone happens to load it as (for example) https://www.othersite.com, then they will automatically jump to http://www.othersite.com

You might even be able to do it with an ISAPI redirect like isapiRewrite or IIS URLrewrite module which would let you do it without javascript (and without needing to modify every page) but a) I'm not sure if it will work, and b) it is easier to do it with javascript if you have a global script you can stick it into!

Cheers!
0
 
LVL 1

Author Comment

by:dingir
ID: 33594965
Thank's.

I tried the global, but the iis website content aren't loaded at all at the time of checking the ssl state. It will check the valid state and then redirect to the url of ssl certificate.

Maybe wildcard ssl could be used, referring the user to a subdomain of the ssl certificate and redirect from there...

I feel all this like: You need an own ip to each ssl sites & non-ssl sites if using IIS.
0
 
LVL 37

Expert Comment

by:meverest
ID: 33595795
Hi,

>> I tried the global, but the iis website content aren't loaded at all at the time of checking the ssl state. It will check the valid state and then redirect to the url of ssl certificate.

Oh... right - I didn;t understand what you meant by this:

>> redirect the visitors by Global.Asax, but the SSL is of course being checked before any website-application-code are running.

until now - I understand now that you are concerned that the end user sees a message about certificate does not match the domain, right?  But if the ssl site is not relevant to the site that the user is attempting to access, does it really matter about that?  The only way that a user will see that message is if they accidentally (or intentionally!) enter https://someothersite instead of http...  So if there is no https site existing for that site, why do you care that it shows a message?

And now I also agree with previous comments of other experts (sorry all, for missing the POINT! ;-)

There is no way that you can avoid that warning.  reason: that warning is a function of the client browser, and the server side has absolutely no bearing on that behaviour.

Always remember this about SSL and host headers:

when the ssl connection is made, the session is encrypted.  The host header (i.e. which web site hostname is requested) is also encrypted.  The server must first decrypt the content to discover what web site to load.  But the server must select a certificate to decrypt the content.  catch22 - how can the server select which certificate if it doesn't yet know what host header is in the request?  answer: it can only select the certificate based on the IP address and port that it receives the connection on, because that is the only detail 'in the clear' (other than the CLIENT IP address and port, of course)

So when a client sends an (encrypted) request for https://www.site1.com, and gets a reply from the server saying 'this is the encyption key for https://www.site2.com, then the browser baulks with what is essentially "HEY!  I want to access site1, but this server says it is site2!  Something dodgy is going on here!" ;-)

Sorry, but sometimes the 'correct' answer to a question like "how can i..." is quite simply "you can't" :-}

wildcard ssl - YES, you can do that but all web sites must share a common domain, like www.site1.com, site2.site1.com, site3.site1.com, ...

in which case you can do normal host header assignment using IIS bindings:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/iis/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true

Cheers!
0
 
LVL 1

Author Comment

by:dingir
ID: 33596027
Hi

Thank's. A lot of info. Bot interesting and also some that aren't fully correct understanded.

I'm not concerned that users see a warning message.

I have an iis with several standard http websites

www.domain1.com
www.domain2.com
www.domain3.com
www.domain4.com

But know, I want to add a SSL / https to www.domain3.com

Which make domain3.com works with ssl.
I also forse http users redirected into https if they try to visit http (global.asax).

The problem IS, that when SSL is exist, users (without any knowledge about the existens of https://www.domain3.com) WILL try https://www.domain1.com, https://www.domain2.com and https://www.domain4.com.

They recieve the error message, think "what the hell, is this place unsafe?". Some of them who dare to continue, will land on the iis website that have the ssl-certificate attached. Which means WRONG site. They visit domain4.com and landing on domain3.com.

Verrrryyy poooor design......
0
 
LVL 37

Accepted Solution

by:
meverest earned 2000 total points
ID: 33596279
Hi,

OK, so I think you are clarifying what I originally thought you meant.

So,

>> But know, I want to add a SSL / https to www.domain3.com

straight out, no ifs no buts: you CAN NOT do it.  ssl certs are locked to the domain -> *.domain.com and only one cert can be applied to one IP address (and port - i.e. 443)

You can do it with SUBDOMAIN (www.domain1.com, domain2.domain1.com, domain3.domain1.com...)

You can do it with different port, e.g: https://www.domain1.com, https://www.domain2.com:444, https://www.domain3.com:445, ...

but you can't do it otherwise.

>> I also force http users redirected into https if they try to visit http (global.asax).

in which case you may like to try including the port definition (444, 445, etc as above) in the redirect.

>> I'm not concerned that users see a warning message.

Then you can still use my original scheme to work around this.

if a user tries to access https://www.domain2.com, then get the error message.  Those who dare to continue will be redirected to http://www.domain2.com, and if you have your redirection happening to force to ssl, then force them to https://www.domain2.com:444 - all good

So the result will be that an error is displayed ONLY when someone intentionally (manually by hand) enters the https://www.domain2.com into the web browser (i/e/ without the :444 on the end) and even then, the correct site is displayed in the end - they should never see the http://www.domain1.com content - or only for a flash of a split second if at all)

>> Verrrryyy poooor design......

are you referring to the web server design?  It's not a software issue - it's a protocol limitation, for all the reasons (catch22) that I explained above.  It is therefore a limitation shared by /all/ web server implementations, not just IIS.

Cheers!
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question