[thelist] Using SSL ports other than 443

Scott Dexter sgd at ti3.com
Mon Apr 9 17:42:20 CDT 2001


<question>
> Can anyone think of any reason to use ports other than 443 for an 
> SSL connection?  
> </question>

We have to here at work: we host multiple SSL sites on the same ip address.
Since SSL is one-to-one to port ip address:443, additional certs on that ip
address *must* be on different ports. How do we make this transparent to our
users? We use a Cisco LocalDirector to provide load balancing and port
masking.

> It is my understanding that many firewall have the following 
> mandatory requirements: 
> a) Only port 443 can be used for an SSL connection 

Not necessarily the case. You *can* bind a web SSL cert to any port. 442 is
the assigned port for https. Note other protocols (smtp, ftp, telnet) also
have accompanying SSL ports.

> b) A port number is not allowed to be explicitly specified as a part 
> of a URL 

They are allowed, but the firewall may not have them configured as open. A
sensible security policy includes locking down non-used and unassigned
ports. If the Spectra software you speak of has a predictable method of
assigning SSL ports, you may be able to team up with the firewall and open
those ports as they are needed.

Good luck, ask more =)

<tip type="IIS quirk with port numbers">
Dunno if this is rfc compliant, but it happens in IIS:

with a non-standard port, if you specify the trailing slash on a URL, IIS
leaves the URL alone. Leave the trailing slash off, and IIS does a
redirection to the URL with the trailing slash, and *adds the port number*
to the URL. This is an issue that comes up if you have a need to run sites
on different ports and have a piece of equipment in front masking the ports
to keep things nice looking:

http://all.your.org/are/belong/ 

This url points to port 80 (the assigned port), but when it reaches me, I've
got a LocalDirector that knows it really goes to all.your.org:4553. So it
sends the request on to my IIS server at port 4553 instead of 80. IIS is
okay with the URL like this (with the trailing slash) --nothing gets
transmuted. On the other hand, 

http://all.your.org/are/belong

hits the LocalDirector just fine, and the LD pushes it to my IIS server's
port 4553, but IIS tweaks it with a redirect to

http://all.your.org:4553/are/belong/ 

which, for a couple reasons, can cause headaches and goose chasing. 

Solution?

(1) don't omit the trailing slash on sites that are not on default ports (80
or 443)
(2) the LocalDirector needs to listen to the non-standard port for requests
in the event the URL does get changed to include the port number

</tip>

sgd




More information about the thelist mailing list