SSL and Host Header support

Either that or a differant port (not 443).

-Erik

"Jonathan Maltz [MS-MVP]" wrote:

 > Hi,
 >
 > You'll need to use different IP addresses for the different websites, to
 > have SSL on more than one site
 >
 > --
 > --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC]
 > <a style='text-decoration: underline;' href="http://www.visualwin.com" target="_blank">http://www.visualwin.com</a> - A Windows Server 2003 visual, step-by-step
 > tutorial site
 > <a style='text-decoration: underline;' href="http://vpc.visualwin.com" target="_blank">http://vpc.visualwin.com</a> - Does <insert OS name> work on VPC 2004? Find out
 > here
 > Only reply by newsgroup. I do not do technical support via email. Any
 > emails I have not authorized are deleted before I see them.
 >
 >
 > "trevorsoft" <trevorsoft DeleteThis @discussions.microsoft.com> wrote in message
 > news:736799D8-8C2C-4064-9736-49775B732265@microsoft.com...
  > > Anyone figure out how to use multiple host headers (IPs) with SSL?
 >
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: SSL and Host Header support 

You can also use unique port numbers for this as well.
Host Headers are not supported when you use SSL.

Here is a KB article explaining why:

<a style='text-decoration: underline;' href="http://support.microsoft.com/?id=187504" target="_blank">http://support.microsoft.com/?id=187504</a>

I have found you can still sort of use them by using a
unique port number. ie...
If your Host Headed site is <a style='text-decoration: underline;' href="http://host01/" target="_blank">http://host01/</a> You can get it
secured by specifing a unique port number when setting up
SSL on the virtual server (say 9043). The secured url
would then be <a style='text-decoration: underline;' href="https://host01:9043/" target="_blank">https://host01:9043/</a>
It's not pretty but it works

Patrick


 >-----Original Message-----
 >Hi,
 >
 >You'll need to use different IP addresses for the
different websites, to
 >have SSL on more than one site
 >
 >--
 >--Jonathan Maltz [Microsoft MVP - Windows Server, Virtual
PC]
 >http://www.visualwin.com - A Windows Server 2003 visual,
step-by-step
 >tutorial site
 >http://vpc.visualwin.com - Does <insert OS name> work on
VPC 2004? Find out
 >here
 >Only reply by newsgroup. I do not do technical support
via email. Any
 >emails I have not authorized are deleted before I see
them.
 >
 >
 >"trevorsoft" <trevorsoft DeleteThis @discussions.microsoft.com> wrote
in message
 >news:736799D8-8C2C-4064-9736-49775B732265@microsoft.com...
  >> Anyone figure out how to use multiple host headers
(IPs) with SSL?
 >
 >
 >.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: SSL and Host Header support 

I'm sure that I tried that once, and it didn't work (well, it worked to give
one site 2 secure ports, but not to give 2 different sites SSL)

--
--Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC]
<a style='text-decoration: underline;' href="http://www.visualwin.com" target="_blank">http://www.visualwin.com</a> - A Windows Server 2003 visual, step-by-step
tutorial site
<a style='text-decoration: underline;' href="http://vpc.visualwin.com" target="_blank">http://vpc.visualwin.com</a> - Does <insert OS name> work on VPC 2004? Find out
here
Only reply by newsgroup. I do not do technical support via email. Any
emails I have not authorized are deleted before I see them.


"Patrick Reeves" <anonymous.TakeThisOut@discussions.microsoft.com> wrote in message
news:1f14c01c457b1$5ff0c8e0$a301280a@phx.gbl...
 > You can also use unique port numbers for this as well.
 > Host Headers are not supported when you use SSL.
 >
 > Here is a KB article explaining why:
 >
<font color=purple> > <a style='text-decoration: underline;' href="http://support.microsoft.com/?id=187504</font" target="_blank">http://support.microsoft.com/?id=187504</font</a>>
 >
 > I have found you can still sort of use them by using a
 > unique port number. ie...
 > If your Host Headed site is <a style='text-decoration: underline;' href="http://host01/" target="_blank">http://host01/</a> You can get it
 > secured by specifing a unique port number when setting up
 > SSL on the virtual server (say 9043). The secured url
<font color=purple> > would then be <a style='text-decoration: underline;' href="https://host01:9043/</font" target="_blank">https://host01:9043/</font</a>>
 > It's not pretty but it works
 >
 > Patrick
 >
 >
  > >-----Original Message-----
  > >Hi,
  > >
  > >You'll need to use different IP addresses for the
 > different websites, to
  > >have SSL on more than one site
  > >
  > >--
  > >--Jonathan Maltz [Microsoft MVP - Windows Server, Virtual
 > PC]
  > >http://www.visualwin.com - A Windows Server 2003 visual,
 > step-by-step
  > >tutorial site
  > >http://vpc.visualwin.com - Does <insert OS name> work on
 > VPC 2004? Find out
  > >here
  > >Only reply by newsgroup. I do not do technical support
 > via email. Any
  > >emails I have not authorized are deleted before I see
 > them.
  > >
  > >
  > >"trevorsoft" <trevorsoft.TakeThisOut@discussions.microsoft.com> wrote
 > in message
  > >news:736799D8-8C2C-4064-9736-49775B732265@microsoft.com...
   > >> Anyone figure out how to use multiple host headers
 > (IPs) with SSL?
  > >
  > >
  > >.
  > ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: SSL and Host Header support 

Hmm, now that I think about it I think the only time I've done it is with 2 IP addresses. I'm not sure if this would work or not either.

-Erik

"Jonathan Maltz [MS-MVP]" wrote:

 > I'm sure that I tried that once, and it didn't work (well, it worked to give
 > one site 2 secure ports, but not to give 2 different sites SSL)
 >
 > --
 > --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC]
 > <a style='text-decoration: underline;' href="http://www.visualwin.com" target="_blank">http://www.visualwin.com</a> - A Windows Server 2003 visual, step-by-step
 > tutorial site
 > <a style='text-decoration: underline;' href="http://vpc.visualwin.com" target="_blank">http://vpc.visualwin.com</a> - Does <insert OS name> work on VPC 2004? Find out
 > here
 > Only reply by newsgroup. I do not do technical support via email. Any
 > emails I have not authorized are deleted before I see them.
 >
 >
 > "Patrick Reeves" <anonymous.TakeThisOut@discussions.microsoft.com> wrote in message
 > news:1f14c01c457b1$5ff0c8e0$a301280a@phx.gbl...
  > > You can also use unique port numbers for this as well.
  > > Host Headers are not supported when you use SSL.
  > >
  > > Here is a KB article explaining why:
  > >
<font color=green>  > > <a style='text-decoration: underline;' href="http://support.microsoft.com/?id=187504</font" target="_blank">http://support.microsoft.com/?id=187504</font</a>>
  > >
  > > I have found you can still sort of use them by using a
  > > unique port number. ie...
  > > If your Host Headed site is <a style='text-decoration: underline;' href="http://host01/" target="_blank">http://host01/</a> You can get it
  > > secured by specifing a unique port number when setting up
  > > SSL on the virtual server (say 9043). The secured url
<font color=green>  > > would then be <a style='text-decoration: underline;' href="https://host01:9043/</font" target="_blank">https://host01:9043/</font</a>>
  > > It's not pretty but it works
  > >
  > > Patrick
  > >
  > >
   > > >-----Original Message-----
   > > >Hi,
   > > >
   > > >You'll need to use different IP addresses for the
  > > different websites, to
   > > >have SSL on more than one site
   > > >
   > > >--
   > > >--Jonathan Maltz [Microsoft MVP - Windows Server, Virtual
  > > PC]
   > > >http://www.visualwin.com - A Windows Server 2003 visual,
  > > step-by-step
   > > >tutorial site
   > > >http://vpc.visualwin.com - Does <insert OS name> work on
  > > VPC 2004? Find out
   > > >here
   > > >Only reply by newsgroup. I do not do technical support
  > > via email. Any
   > > >emails I have not authorized are deleted before I see
  > > them.
   > > >
   > > >
   > > >"trevorsoft" <trevorsoft.TakeThisOut@discussions.microsoft.com> wrote
  > > in message
   > > >news:736799D8-8C2C-4064-9736-49775B732265@microsoft.com...
   > > >> Anyone figure out how to use multiple host headers
  > > (IPs) with SSL?
   > > >
   > > >
   > > >.
   > > >
 >
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: SSL and Host Header support 

SSL requires an IP address for every SSL website.

I would recommend watching the webcast below...
http://www.microsoft.com/usa/webcasts/ondemand/2099.asp
TechNet Webcast: Troubleshooting Secure Socket Layer (SSL)
and or
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032254842&...ture=en
TechNet Webcast: Using Host Headers in Windows Server 2003 DNS and IIS 6.0 - Level 200

Both talk about why you need an IP address for each one.

Hope this helps.
 >> Stay informed about: SSL and Host Header support 

Well I've seen all the responses BUT I did some research on this topic myself
.... I guess I need to know why I can do this "Configuring SSL Host Headers
(IIS 6.0)
" Found

IIS 6.0 Documentation > IIS 6.0 Operations Guide > Security in IIS 6.0 >
IIS 6.0 Encryption > Configuring Secure Sockets Layer

"""" The following conditions apply to the use of SSL host headers:

• SSL host headers cannot be configured by using the IIS Manager UI.

• Using SSL host headers requires that the wildcard certificate be installed
on each Web site from which you want to serve protected content. This adds
overhead to site management, because you must manually ensure that multiple
sites are kept in sync with each other.

• You must configure secure bindings for each Web site that uses the
wildcard server certificate to prevent unauthorized use of that certificate.


This section includes the following information:

• Obtaining and Installing a Wildcard Server Certificate: Describes how to
request a wildcard server certificate and install it on a Web site.

• Configuring Server Bindings for SSL Host Headers: Describes how to
configure the SecureBindings metabase property to create SSL host headers for
each Web site that you want to enable to use the wildcard server certificate.

• Ensuring That Secure Content Is Served Over HTTPS Only: Describes how to
prevent unauthorized Web sites from using the wildcard certificate.

"

"trevorsoft" wrote:

 > Anyone figure out how to use multiple host headers (IPs) with SSL?<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: SSL and Host Header support 

<a style='text-decoration: underline;' href="http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx" target="_blank">http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library...S/596b9</a>

--
//David
IIS
<a style='text-decoration: underline;' href="http://blogs.msdn.com/David.Wang" target="_blank">http://blogs.msdn.com/David.Wang</a>
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"/Colin" <Colin.TakeThisOut@discussions.microsoft.com> wrote in message
news:3E9D81FA-0AFB-41A6-AD2F-A5442C506FD0@microsoft.com...
Well I've seen all the responses BUT I did some research on this topic
myself
.... I guess I need to know why I can do this "Configuring SSL Host
Headers
(IIS 6.0)
" Found

IIS 6.0 Documentation > IIS 6.0 Operations Guide > Security in IIS 6.0 >
IIS 6.0 Encryption > Configuring Secure Sockets Layer

"""" The following conditions apply to the use of SSL host headers:

.. SSL host headers cannot be configured by using the IIS Manager UI.

.. Using SSL host headers requires that the wildcard certificate be installed
on each Web site from which you want to serve protected content. This adds
overhead to site management, because you must manually ensure that multiple
sites are kept in sync with each other.

.. You must configure secure bindings for each Web site that uses the
wildcard server certificate to prevent unauthorized use of that certificate.


This section includes the following information:

.. Obtaining and Installing a Wildcard Server Certificate: Describes how to
request a wildcard server certificate and install it on a Web site.

.. Configuring Server Bindings for SSL Host Headers: Describes how to
configure the SecureBindings metabase property to create SSL host headers
for
each Web site that you want to enable to use the wildcard server
certificate.

.. Ensuring That Secure Content Is Served Over HTTPS Only: Describes how to
prevent unauthorized Web sites from using the wildcard certificate.

"

"trevorsoft" wrote:

 > Anyone figure out how to use multiple host headers (IPs) with SSL?<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: SSL and Host Header support 

I've got 4 sites - 2 SSL and 2 on port 80. I have tried binding the SSL
certificates to the respective headers using the instructions in "Configuring
SSL Host Headers (IIS 6.0)" from the link below.
The two SSL sites have their own IP addresses to which they are bound.

SSL site 1 works fine.
When I attempt to get to SSL site 2 though I get the certificate from site 1
- the correct site is delivered though.

Re-reading the link below it states that I need a wildcard certificate - is
that correct as I've seen a few posts that say if you bind each SSL site to a
different IP it should work with standard host certificates.

I'm hosting on IIS 6 - Win2k3 SP2.

Many thanks.

"David Wang [Msft]" wrote:

> http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library...S/596b9
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "/Colin" <Colin RemoveThis @discussions.microsoft.com> wrote in message
> news:3E9D81FA-0AFB-41A6-AD2F-A5442C506FD0@microsoft.com...
> Well I've seen all the responses BUT I did some research on this topic
> myself
> .... I guess I need to know why I can do this "Configuring SSL Host
> Headers
> (IIS 6.0)
> " Found
>
> IIS 6.0 Documentation > IIS 6.0 Operations Guide > Security in IIS 6.0 >
> IIS 6.0 Encryption > Configuring Secure Sockets Layer
>
> """" The following conditions apply to the use of SSL host headers:
>
> .. SSL host headers cannot be configured by using the IIS Manager UI.
>
> .. Using SSL host headers requires that the wildcard certificate be installed
> on each Web site from which you want to serve protected content. This adds
> overhead to site management, because you must manually ensure that multiple
> sites are kept in sync with each other.
>
> .. You must configure secure bindings for each Web site that uses the
> wildcard server certificate to prevent unauthorized use of that certificate.
>
>
> This section includes the following information:
>
> .. Obtaining and Installing a Wildcard Server Certificate: Describes how to
> request a wildcard server certificate and install it on a Web site.
>
> .. Configuring Server Bindings for SSL Host Headers: Describes how to
> configure the SecureBindings metabase property to create SSL host headers
> for
> each Web site that you want to enable to use the wildcard server
> certificate.
>
> .. Ensuring That Secure Content Is Served Over HTTPS Only: Describes how to
> prevent unauthorized Web sites from using the wildcard certificate.
>
> "
>
> "trevorsoft" wrote:
>
> > Anyone figure out how to use multiple host headers (IPs) with SSL?
>
>
>
 >> Stay informed about: SSL and Host Header support 

Please do not duplicate post.

Your issue is that your two SSL sites are not configured to their own
IP addresses. Their SSL Bindings are currently for "All IP Port 443"
-- which does not match what you say nor want -- hence Site 2 is
conflicting and only Site 1's certificate is returned. Your event log
entries say exactly the same thing, so that is what you need to fix.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Jun 4, 12:09 am, Seth <S....RemoveThis@discussions.microsoft.com> wrote:
> I've got 4 sites - 2 SSL and 2 on port 80. I have tried binding the SSL
> certificates to the respective headers using the instructions in "Configuring
> SSL Host Headers (IIS 6.0)" from the link below.
> The two SSL sites have their own IP addresses to which they are bound.
>
> SSL site 1 works fine.
> When I attempt to get to SSL site 2 though I get the certificate from site 1
> - the correct site is delivered though.
>
> Re-reading the link below it states that I need a wildcard certificate - is
> that correct as I've seen a few posts that say if you bind each SSL site to a
> different IP it should work with standard host certificates.
>
> I'm hosting on IIS 6 - Win2k3 SP2.
>
> Many thanks.
>
>
>
> "David Wang [Msft]" wrote:
> >http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Librar...
>
> > --
> > //David
> > IIS
> >http://blogs.msdn.com/David.Wang
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> > //
> > "/Colin" <Co....RemoveThis@discussions.microsoft.com> wrote in message
> >news:3E9D81FA-0AFB-41A6-AD2F-A5442C506FD0@microsoft.com...
> > Well I've seen all the responses BUT I did some research on this topic
> > myself
> > ....   I guess I need to know why I can do this  "Configuring SSL Host
> > Headers
> > (IIS 6.0)
> > "   Found
>
> >  IIS 6.0 Documentation > IIS 6.0 Operations Guide > Security in IIS 6.0 >
> > IIS 6.0 Encryption > Configuring Secure Sockets Layer
>
> > """" The following conditions apply to the use of SSL host headers:
>
> > .. SSL host headers cannot be configured by using the IIS Manager UI.
>
> > .. Using SSL host headers requires that the wildcard certificate be installed
> > on each Web site from which you want to serve protected content. This adds
> > overhead to site management, because you must manually ensure that multiple
> > sites are kept in sync with each other.
>
> > .. You must configure secure bindings for each Web site that uses the
> > wildcard server certificate to prevent unauthorized use of that certificate.
>
> > This section includes the following information:
>
> > .. Obtaining and Installing a Wildcard Server Certificate: Describes how to
> > request a wildcard server certificate and install it on a Web site.
>
> > .. Configuring Server Bindings for SSL Host Headers: Describes how to
> > configure the SecureBindings metabase property to create SSL host headers
> > for
> > each Web site that you want to enable to use the wildcard server
> > certificate.
>
> > .. Ensuring That Secure Content Is Served Over HTTPS Only: Describes how to
> > prevent unauthorized Web sites from using the wildcard certificate.
>
> > "
>
> > "trevorsoft" wrote:
>
> > > Anyone figure out how to use multiple host headers (IPs) with SSL?- Hide quoted text -
>
> - Show quoted text -
 >> Stay informed about: SSL and Host Header support