[ACCEPTED]-Multiple subdomains with SSL under IIS-subdomain

Accepted answer
Score: 18

"I'm guessing the problem lies in the fact 3 that I can't specify a host header value 2 for SSL"

You guessed right. You will need 1 two IP addresses.

Score: 10

The problem is fundamental to the way HTTPS 14 works.

Virtual hosting relies on the "Host" header 13 introduced in HTTP/1.1. That's part of the 12 HTTP protocol, but from the standpoint of 11 the SSL protocol, the HTTP layer is "application 10 data", and can't be transmitted until 9 the SSL handshake has been completed.

However, the 8 server certificate is presented during the handshake. The 7 HTTP server hasn't seen the "Host" header 6 yet, so it wouldn't know which certificate 5 to send. Using a distinct IP address works, because 4 that's visible at the IP layer below SSL.

Update: There's 3 a new TLS extension that allows clients 2 to indicate the server they intend to use 1 during the handshake. See dlongley's answer for more information.

Score: 5

I am not sure what web server you are running, but 8 in IIS 6 on windows server 2003, you can 7 use host headers for SSL sites, thus allowing 6 them to be on the same IP Address.

http:// www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true

EDIT: This 5 will only work if the certificate is a wildcard 4 certificate. Otherwise, subdomain "affiliate" will 3 try to use the same certificate as subdomain 2 "www", and visitors will get a 1 warning.

Score: 3

This probably won't help you, but hopefully 15 it's informative.

There's an extension to 14 the TLS protocol that some TLS clients use 13 called Server Name Indication (SNI). This 12 extension allows TLS clients to specify 11 the hostname of the server they are trying 10 to contact. So when the client connects 9 and sends a ClientHello message within the 8 TLS protocol, the server can decide which 7 certificate to respond with. This makes 6 virtual SSL/TLS servers possible on a single 5 IP.

OpenSSL provides callback functions to 4 allow you to read what hostname the client 3 sent and handle fetching the appropriate 2 certificate, but unfortunately I have no 1 idea if this is possible with IIS.

Score: 0

In the particular situation you are where 11 you need 2 subdomains of the same domain 10 a WildCard certificate has to work... I use 9 a wildcard cert since 3 years for dozens 8 of sites, and no customer has reported errors

If 7 you have something telling the cert is for 6 "www", then your cert is not a true wildcard 5 cert, or you are experiencing some kind 4 of browser caching issues or you are using 3 2 copies of the cert and you updatet only 2 one of them, or you forgot restarting the 1 server, or .. I donno :)

More Related questions