[thelist] Question about IIS, SSL, and subdomains

[Ken Schaefer]

Hi,

SSL certificates serve two purposes:
a) identification (to prevent identity spoofing)
    -and-
b) to facilitate encryption of traffic between client and server

In order to perform (a), the SSL certificate contains the DNS name of the
site that it is identifying (this can be website, SMTP site, whatever). So,
in this sense the SSL certificate *is* tied to the DNS name of the site. You
can not use a cert issued to site1.mycompany.com for site2.mycompany.com
(without the client flagging an issue with the certificate).

When using SSL to secure a site, you can not use HTTP v1.1 Host: headers to
differentiate the site. A normal HTTP request looks like this:

GET /resource.ext HTTP/1.1
Host: site1.mycompany.com
Accept: */*
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR
1.1.4322)
Accept-Encoding: gzip, deflate

When using SSL, everything after the first line is encrypted, and so the
server has no way of knowing (via the Host: header) which website the
request should be routed to for decryption. Instead, each site must be run
on a unique IP address + TCP port combination. Since these details are
contained in the packet as part of lower level protocols (IP, and TCP
respectively), they are not encrypted, and are readily available to the
webserver. The webserver uses those to route the request to the appropriate
website.

CAVEAT:
If you have mulitple domain names *and* they point to the physical content,
then you can get a wildcard SSL Certificate (*.mycompany.com), and point
multiple DNS names to the same website. You wouldn't use host-headers to
identify the secure site, however the wild card certificate matches all the
supplied DNS names (site1.mycompany.com and site2.mycompany.com), so the
client will not complain about a mis-matched name.

Cheers
Ken

----- Original Message ----- 
From: "Johnson, Christopher (MTO)" <Christopher.Johnson at mto.gov.on.ca>
To: <thelist at lists.evolt.org>
Sent: Saturday, May 22, 2004 12:54 AM
Subject: [thelist] Question about IIS, SSL, and subdomains


: Hello,
:
: I have a quick question regarding setting up SSL certificates under IIS
6.0
: when subdomains are involved. I was told that is I have several different
: domains on a single server, all domains in the form of:
:
: www.foo1.test.domain.com
: www.foo2.test.domain.com
: www.foo3.test.domain.com
:
: and each domain is assigned to the same IP (i.e., the server is using http
: 1.1 to resolve the domain name to the correct virtual website), then I can
: not have different SSL certificates setup for each domain. In other words,
: the certificate is tied to the IP address and not to the domain name or to
: the virtual directory/website on IIS.
:
: Is this true and is there a simple way of setting all this up?
:
: Chris
:
: If any of this does not make sense, I am getting the information second
: hand. Personally, I would just bind as many IP addresses as required to
the
: NIC and go from there, however, in this situation, this may not be an
: option.
: --