Multiple subdomains with SSL under IIS

Question

I currently need to have 2 subdomains under the same domain under SSL.
Both subdomains (www and affiliate) are on the same IIS server, under the same IP, and each one has specified a host header value (www.mydomain.com and affiliate.mydomain.com)

The first subdomain (www), which is the default, works great, with and without SSL.
The second subdomain works perfect under HTTP.

The problem is that I just purchased and installed the SSL certificate for the affiliate subdomain, and when you go to https://affiliate.mydomain.com, you get redirected to http://www.mydomain.com

I'm guessing the problem lies in the fact that I can't specify a host header value for SSL? (the dialog where I normally set the host header value doesn't have that option in the bottom part, dedicated to SSL).

What can I do about this? Should I have each subdomain in a separate IP? Is this not doable at all?

Thanks! Daniel

Answer 1

"I'm guessing the problem lies in the fact that I can't specify a host header value for SSL"

You guessed right. You will need two IP addresses.

Answer 2

I am not sure what web server you are running, but in IIS 6 on windows server 2003, you can use host headers for SSL sites, thus allowing them to be on the same IP Address.

http:// www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true

EDIT: This will only work if the certificate is a wildcard certificate. Otherwise, subdomain "affiliate" will try to use the same certificate as subdomain "www", and visitors will get a warning.

Answer 3

The problem is fundamental to the way HTTPS works.

Virtual hosting relies on the "Host" header introduced in HTTP/1.1. That's part of the HTTP protocol, but from the standpoint of the SSL protocol, the HTTP layer is "application data", and can't be transmitted until the SSL handshake has been completed.

However, the server certificate is presented during the handshake. The HTTP server hasn't seen the "Host" header yet, so it wouldn't know which certificate to send. Using a distinct IP address works, because that's visible at the IP layer below SSL.

Answer 4

In the particular situation you are where you need 2 subdomains of the same domain a WildCard certificate has to work... I use a wildcard cert since 3 years for dozens of sites, and no customer has reported errors

If you have something telling the cert is for "www", then your cert is not a true wildcard cert, or you are experiencing some kind of browser caching issues or you are using 2 copies of the cert and you updatet only one of them, or you forgot restarting the server, or .. I donno :)

Answer 5

This probably won't help you, but hopefully it's informative.

There's an extension to the TLS protocol that some TLS clients use called Server Name Indication (SNI). This extension allows TLS clients to specify the hostname of the server they are trying to contact. So when the client connects and sends a ClientHello message within the TLS protocol, the server can decide which certificate to respond with. This makes virtual SSL/TLS servers possible on a single IP.

OpenSSL provides callback functions to allow you to read what hostname the client sent and handle fetching the appropriate certificate, but unfortunately I have no idea if this is possible with IIS.