Re: SSL ISAPI Question
From: Wade A. Hilmo [MS] (wadeh_at_microsoft.com)
Date: 02/18/04
- Next message: rrein: "RE: IIS6 MMC Crashes when properties opened"
- Previous message: Consultant: "Re: IIS 5.0 to IIS 6.0 upgrade"
- In reply to: Dan Szepesi: "SSL ISAPI Question"
- Next in thread: Dan Szepesi: "Re: SSL ISAPI Question"
- Reply: Dan Szepesi: "Re: SSL ISAPI Question"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 18 Feb 2004 08:05:57 -0800
Hi Dan,
I don't know off the top of my head which notifications sspifilt.dll uses.
It definitely uses SF_NOTIFY_READ_RAW_DATA and SF_NOTIFY_SEND_RAW_DATA to do
the SSL handshaking, decrypting and encrypting. Try looking in the metabase
for the w3svc/filters/sspifilt/filterflags property. The value stored there
is the dwFlags value passed by the filter when it loaded last. It will
include the notification mask.
As for your other question about SSL with host headers, the issue here is
more basic than the filter implementation. When a request is sent over SSL,
everything - including headers - is encrypted. To do the decryption, IIS
needs to get the correct site certificate. If the host header is needed to
idenfity the site, it creates a catch-22. IIS can't decrypt until it knows
the site, but it can't determine the site until it decrypts the host header.
Consequently, if you want to use SSL with different sites, those sites need
to be determinable without knowing the host header. They can be on
different IP addresses and the same port, or they can be on the same IP
address with a different port, or the IP and port can both be different, or
any combination, as long as the IP/port are unique to the site.
I hope that this helps,
-Wade A. Hilmo,
-Microsoft
PS: I don't know if sspifilt.dll makes a good example of how a filter
works. READ_RAW/SEND_RAW filters, especially ones that work correctly, are
very rare. A better example might be UrlScan.dll.
"Dan Szepesi" <dszepesi@hotmail.com> wrote in message
news:eNsc68X9DHA.2672@TK2MSFTNGP10.phx.gbl...
> I am writing up a training doc about ISAPI Filters and Extensions, and am
> using the SSL filter SSPIFILT as an example of an ISAPI filter. Does
anyone
> know offhand where in the event chain SSL works? In other words, what
> events does the SSL filter register for?
>
>
>
> I am looking for this much detail because I am trying to also explain why
> Host Headers don't work with SSL. My understanding is that SSL has not
> acted on the request to decrypt it yet when IIS tries to read the headers.
>
>
>
> In this article:
>
>
>
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore98/HTML/_core_isapi_extensions.3a_.filters.asp
>
>
>
> it mentions that if I want to do custom encryption, I should use the
> following events:
>
>
>
> SF_NOTIFY_READ_RAW_DATA, SF_NOTIFY_WRITE_RAW_DATA
>
>
>
> Does that mean that this is what events the SSL filter registers for? This
> doesn't make sense to me since this article:
>
>
>
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/eventnotificationorder.asp
>
>
>
> places that event first in the order of events that are raised, and if
that
> was the case, it could then read the host headers after it was decrypted.
>
>
>
> This is a hopelessly geeky post, I am aware of that, but I would like to
> nail this down.
>
>
>
>
>
>
>
>
>
>
- Next message: rrein: "RE: IIS6 MMC Crashes when properties opened"
- Previous message: Consultant: "Re: IIS 5.0 to IIS 6.0 upgrade"
- In reply to: Dan Szepesi: "SSL ISAPI Question"
- Next in thread: Dan Szepesi: "Re: SSL ISAPI Question"
- Reply: Dan Szepesi: "Re: SSL ISAPI Question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
