Multiple SSL certs on virtual servers - again

Hi all,
I've read the posts on multiple SSL certs on virtual servers, as well as the
kb articles (again) and I'm wondering if anyone has had the same issue I'm
getting now. In the past I've always managed to get multiple certs working by
either using a different port or a different IP address. I understand
encrypted host headers but I thought that as long as the SecureBinding for
the vserver was unique it should work.
E.g x.x.x.x:443 and x.x.x.x:444 would work, OR x.x.x.x:443 and x.x.x.y:443
would work. IIS shouldn't need to decrypt the host header (which it cant
until it gets the right cert anyway) as long as there is only one vserver
that matches the IP:port of the request?
Sooo... I've gone to set up a second cert on our current server, bought a
second IP, configured the vserver to use the new IP and installed the cert.
No joy - IIS won't bind as it claims that binding is taken - despite the
other ssl vserver using the other IP. If I set the second site to use 'All
Unassigned' IIS will bind, but it still don't work :(
SSL Diagnostic tool can successfully imitate a handshake, however a browser
simply times out.
Any ideas?
TIA,
Paul Bryant

Multiple SSL certs on virtual servers - add. info

I forgot to mention I'm running IIS5.1/Win2K fully patched, bandaged and
locked-down, and that I can get both secure sites to work if I use both a
different IP and a different port, however this would be the solution of last
resort.
tia
Paul
"justageezer" wrote:

> Hi all,
> I've read the posts on multiple SSL certs on virtual servers, as well as the
> kb articles (again) and I'm wondering if anyone has had the same issue I'm
> getting now. In the past I've always managed to get multiple certs working by
> either using a different port or a different IP address. I understand
> encrypted host headers but I thought that as long as the SecureBinding for
> the vserver was unique it should work.
> E.g x.x.x.x:443 and x.x.x.x:444 would work, OR x.x.x.x:443 and x.x.x.y:443
> would work. IIS shouldn't need to decrypt the host header (which it cant
> until it gets the right cert anyway) as long as there is only one vserver
> that matches the IP:port of the request?
> Sooo... I've gone to set up a second cert on our current server, bought a
> second IP, configured the vserver to use the new IP and installed the cert.
> No joy - IIS won't bind as it claims that binding is taken - despite the
> other ssl vserver using the other IP. If I set the second site to use 'All
> Unassigned' IIS will bind, but it still don't work :(
> SSL Diagnostic tool can successfully imitate a handshake, however a browser
> simply times out.
> Any ideas?
> TIA,
> Paul Bryant

Re: Multiple SSL certs on virtual servers - add. info

I assumed you have disable socket pooling, and no other apps is binding
port 443 of the new ip address.
get tcpview or other port view program to double check.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"justageezer" wrote in message
news:F0F39F35-508D-48A1-A168-7C822751384A@microsoft.com...
>I forgot to mention I'm running IIS5.1/Win2K fully patched, bandaged and
> locked-down, and that I can get both secure sites to work if I use both a
> different IP and a different port, however this would be the solution of
> last
> resort.
> tia
> Paul
> "justageezer" wrote:
>
>> Hi all,
>> I've read the posts on multiple SSL certs on virtual servers, as well as
>> the
>> kb articles (again) and I'm wondering if anyone has had the same issue
>> I'm
>> getting now. In the past I've always managed to get multiple certs
>> working by
>> either using a different port or a different IP address. I understand
>> encrypted host headers but I thought that as long as the SecureBinding
>> for
>> the vserver was unique it should work.
>> E.g x.x.x.x:443 and x.x.x.x:444 would work, OR x.x.x.x:443 and
>> x.x.x.y:443
>> would work. IIS shouldn't need to decrypt the host header (which it cant
>> until it gets the right cert anyway) as long as there is only one vserver
>> that matches the IP:port of the request?
>> Sooo... I've gone to set up a second cert on our current server, bought a
>> second IP, configured the vserver to use the new IP and installed the
>> cert.
>> No joy - IIS won't bind as it claims that binding is taken - despite the
>> other ssl vserver using the other IP. If I set the second site to use
>> 'All
>> Unassigned' IIS will bind, but it still don't work :(
>> SSL Diagnostic tool can successfully imitate a handshake, however a
>> browser
>> simply times out.
>> Any ideas?
>> TIA,
>> Paul Bryant