IIS6 and SSL
in [IIS]
|
From: Dooza on 11 May 2010 04:47 Hi there, I have a Windows 2003 Server with IIS6 running multiple websites via host headers. Only one of the sites has an SSL certificate, which works just fine. I am in the middle of sorting out PCI DSS compliance and am using www.hackerguardian.com to do the quarterly scans. For some reason some of the sites seem to be responding on port 443 with 200 OK status, so I am having to report lots of false positives on these sites. I don't understand why this is happening and how to prevent it. I have checked IIS and only one site has port 443 enabled. Is there something I can do in IIS to stop this from happening? Cheers, Dooza
From: Dan on 13 May 2010 06:55 "Dooza" <steveNO(a)SPAM.dooza.tv> wrote in message news:OKDHRZO8KHA.1560(a)TK2MSFTNGP02.phx.gbl... > Hi there, > I have a Windows 2003 Server with IIS6 running multiple websites via host > headers. Only one of the sites has an SSL certificate, which works just > fine. > > I am in the middle of sorting out PCI DSS compliance and am using > www.hackerguardian.com to do the quarterly scans. > > For some reason some of the sites seem to be responding on port 443 with > 200 OK status, so I am having to report lots of false positives on these > sites. > > I don't understand why this is happening and how to prevent it. I have > checked IIS and only one site has port 443 enabled. Is there something I > can do in IIS to stop this from happening? > > Cheers, > > Dooza If they are all sharing a single IP, then there's nothing you can do to stop this - the site host headers are not checked until after the initial SSL handshake has completed, so there's no way to block the sites that shouldn't be responding on port 443 if they are sharing an IP with one that does. -- Dan
From: Dooza on 13 May 2010 08:24 On 13/05/2010 11:55, Dan wrote: > > "Dooza" <steveNO(a)SPAM.dooza.tv> wrote in message > news:OKDHRZO8KHA.1560(a)TK2MSFTNGP02.phx.gbl... >> Hi there, >> I have a Windows 2003 Server with IIS6 running multiple websites via >> host headers. Only one of the sites has an SSL certificate, which >> works just fine. >> >> I am in the middle of sorting out PCI DSS compliance and am using >> www.hackerguardian.com to do the quarterly scans. >> >> For some reason some of the sites seem to be responding on port 443 >> with 200 OK status, so I am having to report lots of false positives >> on these sites. >> >> I don't understand why this is happening and how to prevent it. I have >> checked IIS and only one site has port 443 enabled. Is there something >> I can do in IIS to stop this from happening? >> >> Cheers, >> >> Dooza > > If they are all sharing a single IP, then there's nothing you can do to > stop this - the site host headers are not checked until after the > initial SSL handshake has completed, so there's no way to block the > sites that shouldn't be responding on port 443 if they are sharing an IP > with one that does. You are correct, I did a test last night by changing one of the sites to another IP and now it works as expected. I am going to change all other sites over to the non SSL IP, then all will be well. Thanks for confirming this for me. Kind regards, Dooza
From: Dan on 13 May 2010 08:33 "Dooza" <steveNO(a)SPAM.dooza.tv> wrote in message news:eeT2Icp8KHA.1892(a)TK2MSFTNGP05.phx.gbl... > On 13/05/2010 11:55, Dan wrote: >> >> "Dooza" <steveNO(a)SPAM.dooza.tv> wrote in message >> news:OKDHRZO8KHA.1560(a)TK2MSFTNGP02.phx.gbl... >>> Hi there, >>> I have a Windows 2003 Server with IIS6 running multiple websites via >>> host headers. Only one of the sites has an SSL certificate, which >>> works just fine. >>> >>> I am in the middle of sorting out PCI DSS compliance and am using >>> www.hackerguardian.com to do the quarterly scans. >>> >>> For some reason some of the sites seem to be responding on port 443 >>> with 200 OK status, so I am having to report lots of false positives >>> on these sites. >>> >>> I don't understand why this is happening and how to prevent it. I have >>> checked IIS and only one site has port 443 enabled. Is there something >>> I can do in IIS to stop this from happening? >>> >>> Cheers, >>> >>> Dooza >> >> If they are all sharing a single IP, then there's nothing you can do to >> stop this - the site host headers are not checked until after the >> initial SSL handshake has completed, so there's no way to block the >> sites that shouldn't be responding on port 443 if they are sharing an IP >> with one that does. > > You are correct, I did a test last night by changing one of the sites to > another IP and now it works as expected. I am going to change all other > sites over to the non SSL IP, then all will be well. > > Thanks for confirming this for me. > > Kind regards, > > Dooza I think it's possible to get it working the way you originally had it under IIS7, but on the browser side will also require the SNI extension to TLS (IE7 on Vista, and IE8 on Vista/W7/W2008 has this, for instance), as this allows the browser to send the Host header in the initial request before SSL is negotiated and allow IIS to determine if the requested site has SSL enabled or not. For a publicly accessible server where you have no control over the browsers being used this just isn't possible even with IIS7, and certainly not with IIS6 anyway as it does not support SNI. -- Dan
From: Dooza on 13 May 2010 09:53 On 13/05/2010 13:33, Dan wrote: > > "Dooza" <steveNO(a)SPAM.dooza.tv> wrote in message > news:eeT2Icp8KHA.1892(a)TK2MSFTNGP05.phx.gbl... >> On 13/05/2010 11:55, Dan wrote: >>> >>> "Dooza" <steveNO(a)SPAM.dooza.tv> wrote in message >>> news:OKDHRZO8KHA.1560(a)TK2MSFTNGP02.phx.gbl... >>>> Hi there, >>>> I have a Windows 2003 Server with IIS6 running multiple websites via >>>> host headers. Only one of the sites has an SSL certificate, which >>>> works just fine. >>>> >>>> I am in the middle of sorting out PCI DSS compliance and am using >>>> www.hackerguardian.com to do the quarterly scans. >>>> >>>> For some reason some of the sites seem to be responding on port 443 >>>> with 200 OK status, so I am having to report lots of false positives >>>> on these sites. >>>> >>>> I don't understand why this is happening and how to prevent it. I have >>>> checked IIS and only one site has port 443 enabled. Is there something >>>> I can do in IIS to stop this from happening? >>>> >>>> Cheers, >>>> >>>> Dooza >>> >>> If they are all sharing a single IP, then there's nothing you can do to >>> stop this - the site host headers are not checked until after the >>> initial SSL handshake has completed, so there's no way to block the >>> sites that shouldn't be responding on port 443 if they are sharing an IP >>> with one that does. >> >> You are correct, I did a test last night by changing one of the sites >> to another IP and now it works as expected. I am going to change all >> other sites over to the non SSL IP, then all will be well. >> >> Thanks for confirming this for me. >> >> Kind regards, >> >> Dooza > > I think it's possible to get it working the way you originally had it > under IIS7, but on the browser side will also require the SNI extension > to TLS (IE7 on Vista, and IE8 on Vista/W7/W2008 has this, for instance), > as this allows the browser to send the Host header in the initial > request before SSL is negotiated and allow IIS to determine if the > requested site has SSL enabled or not. For a publicly accessible server > where you have no control over the browsers being used this just isn't > possible even with IIS7, and certainly not with IIS6 anyway as it does > not support SNI. I had seen some information about this, but like you, deemed it not a solution when you have no control over your visitors browsers. Cheers, Dooza
|
Pages: 1 Prev: HTTPS not working Next: Strange LOCK problems with WebDAV upload in IIS7.5 |