我在微软博客上找到了很好的资源,其中详细介绍了IIS,SNI甚至一些CCS:
这是一份很棒的资源。我仔细阅读了它和评论。根据该博客的内容,我想我知道答案,但俗话说,再找一双眼睛看看也没什么坏处。
我有一个盒子Windows Server 2012,里面IIS 8.5有两个。一个 IP 地址。它包含一个站点,有两个SSL bindings。即 HTTPS。两者都通过端口 443,每个都有自己独特的证书。由于只有一个 IP,它们各自共享同一个 IP。一个绑定有要求指示服务器名称检查并主机名有myserver.example.com。另一个绑定是默认 SSL 绑定,因此要求指示服务器名称未选中,并且主机名是空的。
(顺便说一句,根据上述博客的内容,我认为我们可以回答这个问题:如果主机名已输入,但要求指示服务器名称未选中。没什么。它恢复为IP:Port。)
我的问题是,是否可以在同一个 IP:Port 上混合 SNI 和非 SNI SSL 绑定?
根据博客中描述的工作流程(见下文)和我自己的测试,不会,它总是会选择非 SNI SSL 绑定。但也许我错了,我没有看到一种解决方案,可以将 SNI 和非 SNI 绑定与相同的 IP:Port 混合使用。
Below are the steps involved during SSL handshake between a SNI
compliant Client and a site hosted on IIS 8 on which a SSL binding is
configured to use SNI.
1. The client and the server establish a TCP connection via TCP
handshake.
2. The client sends a Client Hello to the server. This packet contains
the specific protocol version, list of supported cipher suites along
with the hostname (let’s say www.outlook.com provided its a SNI
compliant browser). The TCP/IP headers in the packet contain the
IPAddress and the Port number.
3. The server checks the registry (legacy bindings) to find a
certificate hash/thumbprint corresponding to the above combination of
IP:Port.
4. If there is no legacy binding for that IP:Port, then server uses
hostname information available from the Client Hello checks the
registry to find a certificate hash corresponding to the above
combination of Hostname:Port. The server checks the below key to find
the combination:
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslSniBindingInfo
5. If the above step fails i.e., if the server couldn’t find a
corresponding hostname:port, then it would use the IPAddress
available to search for a legacy SSL binding for that IPAddress and
PORT. (If this is absent then the SSL handshake would fail)
6. Once it finds a match, the crypto API’s are called to retrieve the
Server Certificate based on the thumbprint/certificate hash from the
certificate store. The retrieved certificate is then added to the
Server Hello and sent to the client.