How to configure a default web site for https using SNI and CCS

3
votes

We use IIS8.5 with only the default web site configured, but with thousands of domains pointing to it on the same load-balanced IP.

We are planning to offer https (SSL) for all these thousands of domains. All .pfx certificates will be stored in a Central Certificate Store (CCS) and will bound to the same web site, using the same IP, thanks to the Server Name Indication (SNI) feature.

SNI and CCS works fine for this purpose, but only if we add a explicit bidding for each domain in the default web site, which is not practical for thousands of domains:

        <site name="Default Web Site" id="1">
            <application path="/">
                <virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\wwwroot" />
            </application>
            <bindings>
                <binding protocol="http" bindingInformation="*:80:" />
                <binding protocol="https" bindingInformation="*:443:www.domain1.com.br" sslFlags="3" />
                <binding protocol="https" bindingInformation="*:443:www.domain2.com.br" sslFlags="3" />
                <binding protocol="https" bindingInformation="*:443:www.domain3.com.br" sslFlags="3" />
                ...
                ...
                ...
                <binding protocol="https" bindingInformation="*:443:www.otherdomain9998.com.br" sslFlags="3" />
                <binding protocol="https" bindingInformation="*:443:www.otherdomain9999.com.br" sslFlags="3" />
                ...
            </bindings>
        </site>

I tryed to configure a default https protocol binding, in the same way of the default http protocol binding and using sslFlags="3", which means SNI+CCS:

        <site name="Default Web Site" id="1">
            <application path="/">
                <virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\wwwroot" />
            </application>
            <bindings>
                <binding protocol="http" bindingInformation="*:80:" />
                <binding protocol="https" bindingInformation="*:443:" sslFlags="3" />
            </bindings>
        </site>

With the above configuration, no SSL certificate is served to any browser.

Is ther any other way of configuring a default web site for https using SNI and CCS?

I would really appreciate any help in pointing me to the right direction.

Thank you!

Guilherme

2
sslhttpsbindingiis-8.5sni
"...thanks to the Server Name Indication (SNI) feature" - oh, that's going to be painful. Windows XP's SChannel does not support SNI; and neither does a number of downlevel clients (millions of Android devices and friends). And clients that could support it often don't advertise SNI because programmers still use SSLv3 in 2014 (SNI is a TLS feature). - jww
We saw SNI acceptance to increase to almost 98% of our customer base in Brazil. Windows XP is rapidly becoming negligible. So we think its time to give it a try, because of IPv4 scarcity and a recent decision of Google to use HTTPS as a ranking signal: link - Guilherme Rudnitzki
The problem is that we host a service that is used by more than 25.000 domains in the same IP and in the same IIS website! Currently, the owner of each domain simply configures its DNS to point to our IP and everything works fine if using http. For https, there will be two extra steps: 1) Send the domain's pfx to the CCS 2) Add the domain's binding to the default web site. We would like to have a default web site for https using SNI and CCS, so we don't have to maintain all these bindings in the applicationHost.config file. This would be a pain, even using PowerShell! - Guilherme Rudnitzki
I just don't understand why Microsoft did not implemented a default web server functionality for https and CCS+SNI. This way we could simply put the 25.000+ domain pfx files in the CSS repository and the default web site would respond to http and https without any explicit binding. Or maybe they did it? Any help will be greatly appreciated! - Guilherme Rudnitzki

2 Answers

6
votes

Case resolved!

1) First I used IIS to create a bogus SSL binding in the default web site for www.whatever.com, using SNI and CCS.

2) Then I manually edited this bogus binding entry in the applicationHost.config file as follows:

FROM:

<binding protocol="https" bindingInformation="*:443:www.whatever.com" sslFlags="3" />

TO:

<binding protocol="https" bindingInformation="*:443:" sslFlags="3" />

3) Finally, I sent my certificates to the CCS folder. After about 5 minutes, the new SSL sites were automatically activated by IIS.

In other words, I got a default web site for SSL, using many certificates in the same IP and without creating a binding for each one!

This is great!!!

-3
votes

Its happend to me.

I fixed it with the follow steps:

- Find the file applicationHost.config in the route: (local disk):Windows/System32/inetsrv/config (in my case)

- Save this file with another name as backup by if something happends

- Open the file with text editor and find the follow:
(surely you won't find it)

- Add this line in one of this bindings that contains sslFlags (just once)

The problem has been fixed