locked
TLS Server Name Indation Support RRS feed

  • Question

  • User-1090319347 posted
    We want IIS to support TLS Server Name Indication, because we want to host multiple secure websites with different certificates on a single ip-address. TLS SNI: http://en.wikipedia.org/wiki/Server_Name_Indication
    Tuesday, October 20, 2009 2:45 AM

All replies

  • User511787461 posted

    This feature is under consideration for the next release of windows.

    Tuesday, October 20, 2009 2:07 PM
  • User-1090319347 posted
    Okay, thanks for the quick reply. In the mean time we'll use Linux and OpenSSL.
    Tuesday, October 20, 2009 5:31 PM
  • User-1853252149 posted

    If you absolutely need multiple certs for sites using a single IP then Linux is your best (perhaps only) option.  I'm of the opinion that sites on a single IP shouldn't be using separate certs, but I've also always resisted using multiple sites on a single IP whenever possible.  I understand that in some situations you have no choice.

    Jeff

    Wednesday, October 21, 2009 8:14 AM
  • User511787461 posted

    I had a query regarding that - are you seeing that most of clients connecting to your site support TLS SNI?  One reason for the delay for implementing this in server-side in windows has been the belief that the percentage of clients supporting this is still low (even though latest versions of IE and firefox support it).

    Thursday, October 22, 2009 2:15 PM
  • User-1090319347 posted
    We need SNI not because we have clients connecting with SSL but because we have to host almost a thousand unique webservers (SOAP XML HL7v3 services) with their own FQDN and SSL certificate on a win2008 IIS7 server for incoming SSL connections from other servers. Without SNI this means we need a unique IP-adress per FQDN/SSL-cert, with SNI we could host all the sites on 1 IP. It’s obvious that 1 IP-adress for incoming SSL services is a lot more efficient and easier to maintain and configure. Add to that that all IP traffic is routed over firewalls and private (healthcare) networks, and it’s even more obvious that one single IP compared to almost a thousand is a BIG difference. For now we’ve put a dedicated Linux OpenSSL server between the Win2008 host and the network to handle the incoming SSL traffic. We hope SNI will be introduced in the near future.
    Tuesday, November 3, 2009 2:41 PM
  • User-604276414 posted
    1 IP-adress for incoming SSL services is a lot more efficient and easier to maintain

    And cheaper as well. You usually get 1 to 5 IP addresses, not unlimited number of them, and you have to purchase additional ones separately.

    Not to mention running out of IP4 addresses.

    Tuesday, November 3, 2009 2:48 PM
  • User-1826166664 posted

    Does the content of this article accomplish what you (we) need?

    I have an immediate need to run multiple ssl sites on a single ip and was counting on this document to pull everything together.

    http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8d9f2a8f-cd23-448c-b2c7-f4e87b9e2d2c.mspx?mfr=true

     

     

     

    Tuesday, November 24, 2009 12:54 AM
  • User-1090319347 posted
    No, this doesn't solve the problem.
    Monday, December 7, 2009 4:12 AM
  • User2015307410 posted

    We also really need this featue in order to host multiple sites in an efficient way.

    Can it really be true that MS has no plans to support this before the next major relase of a Windows Server OS?

    SNI is supported on the client side by everybody using Firefox (2 and up), Safari on Mac OS X and everybody using Windows Vista and up.

    I guess the main reason that there has been some vailidity in the claim about lacking client side support, has been the complete failure in getting the corporate world to accept Windows Vista (due to it's ridicolous resource usage). But hopefully Windows 7 will fare much better, which then should eliminate the problems with client side support.

    The above statement is just another way of stating that I don't understand why this isn't supported in IIS, when you do support it on the client side...

     

    Thursday, January 7, 2010 10:52 AM
  • User-1826166664 posted

    Here is what worked for me in IIS 6.

     1) Configure host header names on 443 for IIS. I recommend scripting it because it won't be the last time you run this cmd.

    cscript.exe adsutil.vbs set /w3svc/<replace with your site id>/SecureBindings ":443:www.domain1.com"
    cscript.exe adsutil.vbs set /w3svc/1709n76999/SecureBindings ":443:www.domain2.com"
    cscript.exe adsutil.vbs set /w3svc/108937373/SecureBindings ":443:www.domain3.com"
    cscript.exe adsutil.vbs set /w3svc/2299387888/SecureBindings ":443:www.domain4.com"
    cscript.exe adsutil.vbs set /w3svc/1838j33838/SecureBindings ":443:www.domain5.com"

     

    2) Install a UCC certificate from DigiCert. Don't worry about all the references to Exchange on this page.  The common name is for www.domain1.com and all the others are added when you submit the .csr

    http://www.digicert.com/unified-communications-ssl-tls.htm

     

    Thursday, January 7, 2010 11:06 AM