ansaurus

Question

Catch SSL cert request error so as to redirect to the correct site

Answer 1

A:

In Apache this is usually done with mod_rewrite:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

Google for "rewrite URL IIS", you'll find some equivalents for IIS.

djn 2008-11-08 21:14:04

this will not help, because the redirect can only happen after the cert error is encountered.

hop 2008-11-09 01:15:03

Answer 2

A:

Intresting. I have never observed this behavior in any site until I saw this question. Even google has this problem. The url below gives the bad cert error

https://google.com/accounts/

Btw, Most of the sites has a subdomain to which they protect it with a certificate. One vote up for the question.

Ramesh 2008-11-08 21:21:19

Answer 3

+4 A:

The only solution is to include the second domain in the certificate with a SubjectAlternativeName. Some certificate authorities will allow you to do this without extra cost.

Everything else would only happen after the ssl connection is established and therefor after the error is encountered by the user.

With HTTPS the ssl connection is negotiated before any of the HTTP headers are sent to the server, including the Host:-header that tells the server for which virtual host the request is actually intended.

hop 2008-11-09 01:17:51

I am going to inquire internally to see if one of our Network Admins is aware of how to accomplish this. Is this a trivial issue to fix? I presume that the RewriteRule is possible with an Apache Server and with IIS 7 but not IIS 6. Am I understanding this correctly?

JohnL 2008-11-10 03:53:14

and now somebody please explain the -1 vote...

hop 2008-11-10 16:06:18

this is not a trivial issue to fix: you would have to re-implement the whole web.

hop 2008-11-10 16:11:52

ok here is the deal. You are correct this is not a trivial issue! According to our SSL Cert provider setting the SAN is possible on the certificate. Our NA group however do not want to get involved for whatever reason. The fix wanted by our NA is to tack on 'www' to all incoming requests.

JohnL 2008-11-11 01:02:43

HOP - I trusted and went with your answer as best and it was confirmed. However politically it did not fly with our NA group. If I could vote your answer up I would. My rep is just shy. I personally want to thank you for your diligence and KB! Thanks!

JohnL 2008-11-11 01:04:21

i feel your pain :-( suggest to the NA group to pay a visit to every single of your users and make them enter the www. whenever they enter the URL by hand ;)

hop 2008-11-11 10:49:48

I tried to vote your answer up and its either neg 1 or 0. Zero is better I think. :)

JohnL 2008-11-13 17:19:19

Answer 4

A:

HOP is correct with his answer. Owen also if we had the luxury of using IIS 7 as Rewrite rules similar to the mod_rewrite rule of Apache is now possible from within IIS.

After further investigation today together with our Network Admins and our SSL Cert provider applying a SAN to our Certificate is quite possible and at no charge.

However due to political issues within the ORG it was decided that DEV (my group) institute a redirect to the registered domain within the Application BeginRequest event. For each request we will check that the URL points to our FQDN. If the request is made to the 'Short Name' then we will point it to the FQDN always by appending the www to the short name that will be returned by the context.Host method.

No doubt this will increase chattiness etc.!

JohnL 2008-11-11 01:19:19

ansaurus

tags:

views:

answers:

Catch SSL cert request error so as to redirect to the correct site

related questions