Apache Leading on SSL deployment

Oh well, 5:21am in LA - jet lag kicking in :(  Slept couple hours since landed, I slept all the way from Singapore, but still !  Anyway, so instead of lying on the bed and do nothing, so I power up my laptop and start reading my RSS feeds and look what I found!

Apache Now the Leader in SSL Servers

For the past many years, this is the first time that Apache is leading IIS in term of secure web server deployment. Do you find it hard to deploy SSL in IIS? Well, I don't think it is hard, basic is there just that not that flexible to manipulate, for example you don't really have an interface to manage SSL cert at command line for IIS 5. Though, we got SSLDiag to troubleshoot SSL deployment in IIS, but how many really understand or interpret the information from SSLDiag related error msgs ?

Published Thu, Apr 27 2006 21:23 by qbernard
Filed under:

Comments

# Alun Jones said on 27 April, 2006 11:38 AM
Deploying SSL in IIS is a whole lot easier than deploying SSL in anything other than IIS. It would be nice to see Microsoft come out with a general certificate wizard.
# Casey Lengacher said on 28 April, 2006 06:44 PM
In general, I'm finding deployment of SSL in IIS to be fairly straight-forward; however, I am having one difficulty that I have yet to resolve.

I've setup a website so that at the lowest level possible, all content is to be delivered using SSL and 128 bit encryption via the checkboxes accessed under Directory Security.

I'm doing this because this site is for a DotNetNuke installation, and while there are some URL manglers supplied by third party vendors, I'd just rather make sure I knip the weird exceptions and their faulty code in the bud by blocking everything with a mechanism that sits below their code.

So I tried this out, secured the whole site, then went to the default file for the site and unchecked the SSL protect just for that file.

Now, if I type in the usual URL of http://soandso.org, I still get blocked. But, if I type in http://soandso.org/default.aspx, I do not.

Apparently there is something else going on that overrides the override if the override is on a file being accessed by the default content mechanism?
# qbernard said on 30 April, 2006 12:10 AM
Interesting Casey... while I'm not sure how DNN work all together, but could you look at the IIS log entries, and see what's the different between visiting the domain url itself and url + default doc. when you said you got blocked, you are referring that you hit the 'required ssl page' right?
# Andre said on 01 May, 2006 01:50 AM
I have a ssl web site that works fine 99% of the time but one particular user is intermittently able to stop https for all traffic. The website is still available not using ssl, so it is not iis or the website that caused the problem. Is this weird or what, that a user is able to stop the website for everyone. There is obviously still some problems with microsofts https server. I hope microsoft is aware that their https implementation still need some work. I am kicking myself now I did not use Apache.
# qbernard said on 03 May, 2006 10:03 AM
Interesting, Andre. 'that a user is able to stop the website for everyone' ? You mean when he/she browse the site via SSL, the IIS just stop responding ? I personally have not seen this before. have you try different browser on the client machine? when it's not responding... can you browse simple html page via http ? I suggest you post this + more detail to public IIS newsgroup, we can discussed over there.
# David Wang said on 17 June, 2006 03:21 AM
Casey - You only set the exception on metadata for http://soandso.org/default.aspx">http://soandso.org/default.aspx

When you make a request to http://soandso.org , IIS has to read metadata for http://soandso.org to decide how to handle it. The request ends up being treated as 30x courtesy redirect to http://soandso.org/ (note added trailing backslash on the courtesy redirect). The client then makes a second request to http://soandnso.org/, which IIS processes with the default document handler and in turn executes http://soandso.org/default.aspx">http://soandso.org/default.aspx and triggers its metadata.

http://blogs.msdn.com/david.wang/archive/2005/10/14/HOWTO_IIS_6_Request_Processing_Basics_Part_1.aspx

The metadata for http://soandso.org and http://soandso.org/ do not contain the exception and thus requires SSL protect.

//David

News

Search

Go

This Blog

Tags

Archives

IIS Sites

MVPs - MVPs

IIS Related

Syndication