Re: SSL ISAPI Question
From: Dan Szepesi (dszepesi_at_hotmail.com)
Date: 02/18/04
- Next message: Tom Kaminski [MVP]: "Re: URL for XP hosted website around router"
- Previous message: rrein: "RE: IIS6 MMC Crashes when properties opened"
- In reply to: Wade A. Hilmo [MS]: "Re: SSL ISAPI Question"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 18 Feb 2004 11:17:29 -0500
Perfect - thanks for the reply!!
That makes a lot more sense now.
>>>>
A better example might be UrlScan.dll.
>>>>
Hmm, I wonder who wrote that ....... :)
I will use URLSCAN as my example, thanks!!
Dan Szepesi
Digex
"Wade A. Hilmo [MS]" <wadeh@microsoft.com> wrote in message
news:e6AgMmj9DHA.1948@TK2MSFTNGP12.phx.gbl...
> Hi Dan,
>
> I don't know off the top of my head which notifications sspifilt.dll uses.
> It definitely uses SF_NOTIFY_READ_RAW_DATA and SF_NOTIFY_SEND_RAW_DATA to
do
> the SSL handshaking, decrypting and encrypting. Try looking in the
metabase
> for the w3svc/filters/sspifilt/filterflags property. The value stored
there
> is the dwFlags value passed by the filter when it loaded last. It will
> include the notification mask.
>
> As for your other question about SSL with host headers, the issue here is
> more basic than the filter implementation. When a request is sent over
SSL,
> everything - including headers - is encrypted. To do the decryption, IIS
> needs to get the correct site certificate. If the host header is needed
to
> idenfity the site, it creates a catch-22. IIS can't decrypt until it
knows
> the site, but it can't determine the site until it decrypts the host
header.
>
> Consequently, if you want to use SSL with different sites, those sites
need
> to be determinable without knowing the host header. They can be on
> different IP addresses and the same port, or they can be on the same IP
> address with a different port, or the IP and port can both be different,
or
> any combination, as long as the IP/port are unique to the site.
>
> I hope that this helps,
> -Wade A. Hilmo,
> -Microsoft
>
> PS: I don't know if sspifilt.dll makes a good example of how a filter
> works. READ_RAW/SEND_RAW filters, especially ones that work correctly,
are
> very rare. A better example might be UrlScan.dll.
>
> "Dan Szepesi" <dszepesi@hotmail.com> wrote in message
> news:eNsc68X9DHA.2672@TK2MSFTNGP10.phx.gbl...
> > I am writing up a training doc about ISAPI Filters and Extensions, and
am
> > using the SSL filter SSPIFILT as an example of an ISAPI filter. Does
> anyone
> > know offhand where in the event chain SSL works? In other words, what
> > events does the SSL filter register for?
> >
> >
> >
> > I am looking for this much detail because I am trying to also explain
why
> > Host Headers don't work with SSL. My understanding is that SSL has not
> > acted on the request to decrypt it yet when IIS tries to read the
headers.
> >
> >
> >
> > In this article:
> >
> >
> >
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore98/HTML/_core_isapi_extensions.3a_.filters.asp
> >
> >
> >
> > it mentions that if I want to do custom encryption, I should use the
> > following events:
> >
> >
> >
> > SF_NOTIFY_READ_RAW_DATA, SF_NOTIFY_WRITE_RAW_DATA
> >
> >
> >
> > Does that mean that this is what events the SSL filter registers for?
This
> > doesn't make sense to me since this article:
> >
> >
> >
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/eventnotificationorder.asp
> >
> >
> >
> > places that event first in the order of events that are raised, and if
> that
> > was the case, it could then read the host headers after it was
decrypted.
> >
> >
> >
> > This is a hopelessly geeky post, I am aware of that, but I would like to
> > nail this down.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
- Next message: Tom Kaminski [MVP]: "Re: URL for XP hosted website around router"
- Previous message: rrein: "RE: IIS6 MMC Crashes when properties opened"
- In reply to: Wade A. Hilmo [MS]: "Re: SSL ISAPI Question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
