Reputation: 419
IIS 7 Non SSL site loading certificate of another site's
I have a IIS 7 server hosting a few different sites. Recently I purchased and installed a SSL certificate to one of the site. Both http and https binding are setup with host header xxx.com and www.xxx.com.
But now i discover that other site with no SSL is loading the certificate and show the untrusted cert error when accessing through https.
Can i know how I can stop other non SSL site from loading the certificate? Thank you.
Upvotes: 0
Views: 697
Answers (1)
Reputation: 123320
I assume that
- you are using the server on a single IP address
- provide service for multiple names on this single IP address
- have configured SSL for some of the names but not for others
This means, that
- The server is listening on this specific IP address for SSL connections.
- The server can only decide after receiving the initial SSL request from the client (ClientHello) which certificate it should use. The Client hash to use SNI (server name indication) to tell the server which hostname it expects. Most newer clients support this but for example IE8/XP does not.
Since the server has to listen for SSL connections on this IP address it can happen, that it receives a SSL request for a hostname, where it has not certificate configured. In this cases a server could do the following:
- Use some other certificate it has configured. This is what your server is doing. This results in an error on the client about an invalid certificate since the name in the certificate does not match the expected name.
- Simply close the connection or issue some SSL error. This would result in an SSL handshake error on the client which browsers usually display in a way so that end users are not able to understand what's going on. For the browser the situation is simply a server error and the server is not able to give the browser more detailed information (this is not part of the SSL protocol).
If you don't like any of these two problems you must serve the non-SSL hosts from a different IP address than the SSL hosts, so that the server will not even listen on the SSL port for connections for the non-SSL hosts.
I hope this explanation helps with your problem. If you have now specific questions about the configuration of the server to achieve the outlined solution you should ask them at serverfault.com instead.
Upvotes: 1
Related Questions
- Binding SSL certificates to Website in IIS
- IIS unselects a SSL certificate from a Site Binding
- IIS 7.5 SSL https - wrong site appears when calling other site
- Binding SSL certificate to a new site, changes other's certificate
- One SSL certificate per site
- SSL certificate in IIS for one site, all sites responds to https request
- Check which certificate is bound to an asp.net site from within site
- IIS 7 adding SSL to one site, all other sites responds to https request
- Two site, one with https on IIS 7 problem
- web site certificate issue