| Groups | Blog | Home |
iis security : Can't get SSL to work locally
I've recently acquired an SSL certificate on my live web site which I maintain and develop in C# / ASP.NET with VS.NET 2003. That means I can use https://www.markrae.co.uk just as well as http://www.markrae.co.uk. Therefore, I need to be able to simulate this on my development machine. I followed the MSKB article How To Set Up Client Certificates (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/htm l/secmod31.asp) to the letter, and am now experiencing the following behaviour on my development machine: 1) If I browse to http://localhost/markrae, all is fine 2) If I browse to https://localhost/markrae, IIS pops the standard Security Alert message (which I'd expect), saying that the Security Certificate was issued by a company I have not chosen to trust etc. So I click Yes, and then I get "Cannot find server or DNS Error", as if the site I'm trying to browse to isn't there. I'm running Windows XP Pro with all the latest security patches. If I open MMC, expand Internet Information Services and right click on Properties, C:\WINDOWS\System32\inetsrv\sspifilt.dll is showing as being installed. If I right click on Default Web Site and select Properties, the IP address is set to (All Unassigned), the TCP port is 80 and the SSL port is 443 (not dimmed). If I run netstat -an from a command prompt, it has a Local Address entry for 0.0.0.0:443 I'm clearly missing something glaringly obvious here... Any assistance gratefully received. Regards, Mark Rae
SelfSSL is the easiest way to enable SSL for your server (only works for
testing/private use -- real SSL sites still need to buy their own cert) http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en SSLDiag is the easiest way to check for why SSL is not working on IIS. http://microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&DisplayLang=en -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Mark Rae" <mark@mark-N-O-S-P-A-M-rae.co.uk> wrote in message Hi,news:eDiUoPEXEHA.4000@TK2MSFTNGP09.phx.gbl... I've recently acquired an SSL certificate on my live web site which I maintain and develop in C# / ASP.NET with VS.NET 2003. That means I can use https://www.markrae.co.uk just as well as http://www.markrae.co.uk. Therefore, I need to be able to simulate this on my development machine. I followed the MSKB article How To Set Up Client Certificates (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/htm l/secmod31.asp) to the letter, and am now experiencing the following behaviour on my development machine: 1) If I browse to http://localhost/markrae, all is fine 2) If I browse to https://localhost/markrae, IIS pops the standard Security Alert message (which I'd expect), saying that the Security Certificate was issued by a company I have not chosen to trust etc. So I click Yes, and then I get "Cannot find server or DNS Error", as if the site I'm trying to browse to isn't there. I'm running Windows XP Pro with all the latest security patches. If I open MMC, expand Internet Information Services and right click on Properties, C:\WINDOWS\System32\inetsrv\sspifilt.dll is showing as being installed. If I right click on Default Web Site and select Properties, the IP address is set to (All Unassigned), the TCP port is 80 and the SSL port is 443 (not dimmed). If I run netstat -an from a command prompt, it has a Local Address entry for 0.0.0.0:443 I'm clearly missing something glaringly obvious here... Any assistance gratefully received. Regards, Mark Rae
David, how does IIS know whether your site is a testing/private site or a
real site? It's a matter of trust, not functionality. IIS works with any certificate the same way (as long as IIS can trust it), it doesn't care whether the client will or not. And even with a certificate that's not trusted, SSL will still work, the traffic will be encrypted. The problem with certificates that can't be trusted is not that SSL wouldn't work. It's that you don't know who you're talking to, you can't trust the information in the certificate (such as the subject). Jerry [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:utLhrkJXEHA.1356@TK2MSFTNGP09.phx.gbl... > SelfSSL is the easiest way to enable SSL for your server (only works for > testing/private use -- real SSL sites still need to buy their own cert) > > http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en > > > SSLDiag is the easiest way to check for why SSL is not working on IIS. > > http://microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&DisplayLang=en > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > "Mark Rae" <mark@mark-N-O-S-P-A-M-rae.co.uk> wrote in message > news:eDiUoPEXEHA.4000@TK2MSFTNGP09.phx.gbl... > Hi, > > I've recently acquired an SSL certificate on my live web site which I > maintain and develop in C# / ASP.NET with VS.NET 2003. That means I can > use > https://www.markrae.co.uk just as well as http://www.markrae.co.uk. > Therefore, I need to be able to simulate this on my development machine. > > I followed the MSKB article How To Set Up Client Certificates > (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/htm > l/secmod31.asp) to the letter, and am now experiencing the following > behaviour on my development machine: > > 1) If I browse to http://localhost/markrae, all is fine > > 2) If I browse to https://localhost/markrae, IIS pops the standard > Security > Alert message (which I'd expect), saying that the Security Certificate was > issued by a company I have not chosen to trust etc. So I click Yes, and > then > I get "Cannot find server or DNS Error", as if the site I'm trying to > browse > to isn't there. > > I'm running Windows XP Pro with all the latest security patches. > > If I open MMC, expand Internet Information Services and right click on > Properties, C:\WINDOWS\System32\inetsrv\sspifilt.dll is showing as being > installed. > > If I right click on Default Web Site and select Properties, the IP address > is set to (All Unassigned), the TCP port is 80 and the SSL port is 443 > (not > dimmed). > > If I run netstat -an from a command prompt, it has a Local Address entry > for 0.0.0.0:443 > > I'm clearly missing something glaringly obvious here... > > Any assistance gratefully received. > > Regards, > > Mark Rae > > >
Don't worry, you're preaching to the choir here.
SelfSSL just lowers the bar to enabling SSL on IIS (many people mistake needing Certificate Server or is just not possible "for free" with IIS). It does not attempt to address the issue of trust. I'm just trying to explain to the user in more pragmatic terms. I do not want them to think that they get SSL "for free" and can go host a securable ecommerce site with SelfSSL and get disappointed. Most users really cannot distinguish encryption and trust when it comes to SSL, and I do not want it to be a barrier to understanding. -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Jerry Pisk" <jerryiii@hotmail.com> wrote in message David, how does IIS know whether your site is a testing/private site or anews:ediIwfLXEHA.3420@TK2MSFTNGP12.phx.gbl... real site? It's a matter of trust, not functionality. IIS works with any certificate the same way (as long as IIS can trust it), it doesn't care whether the client will or not. And even with a certificate that's not trusted, SSL will still work, the traffic will be encrypted. The problem with certificates that can't be trusted is not that SSL wouldn't work. It's that you don't know who you're talking to, you can't trust the information in the certificate (such as the subject). Jerry [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:utLhrkJXEHA.1356@TK2MSFTNGP09.phx.gbl... > SelfSSL is the easiest way to enable SSL for your server (only works for > testing/private use -- real SSL sites still need to buy their own cert) > > http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en > > > SSLDiag is the easiest way to check for why SSL is not working on IIS. > > http://microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&DisplayLang=en > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > "Mark Rae" <mark@mark-N-O-S-P-A-M-rae.co.uk> wrote in message > news:eDiUoPEXEHA.4000@TK2MSFTNGP09.phx.gbl... > Hi, > > I've recently acquired an SSL certificate on my live web site which I > maintain and develop in C# / ASP.NET with VS.NET 2003. That means I can > use > https://www.markrae.co.uk just as well as http://www.markrae.co.uk. > Therefore, I need to be able to simulate this on my development machine. > > I followed the MSKB article How To Set Up Client Certificates > (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/htm > l/secmod31.asp) to the letter, and am now experiencing the following > behaviour on my development machine: > > 1) If I browse to http://localhost/markrae, all is fine > > 2) If I browse to https://localhost/markrae, IIS pops the standard > Security > Alert message (which I'd expect), saying that the Security Certificate was > issued by a company I have not chosen to trust etc. So I click Yes, and > then > I get "Cannot find server or DNS Error", as if the site I'm trying to > browse > to isn't there. > > I'm running Windows XP Pro with all the latest security patches. > > If I open MMC, expand Internet Information Services and right click on > Properties, C:\WINDOWS\System32\inetsrv\sspifilt.dll is showing as being > installed. > > If I right click on Default Web Site and select Properties, the IP address > is set to (All Unassigned), the TCP port is 80 and the SSL port is 443 > (not > dimmed). > > If I run netstat -an from a command prompt, it has a Local Address entry > for 0.0.0.0:443 > > I'm clearly missing something glaringly obvious here... > > Any assistance gratefully received. > > Regards, > > Mark Rae > > >
Mark, you can also use the same certificate you purchased. You will get
warnings about the common name not being the same as the address of the site but if it's just for testing that might be fine. As you can see there are quite a few options... Jerry [quoted text, click to view] "Mark Rae" <mark@mark-N-O-S-P-A-M-rae.co.uk> wrote in message news:OClJfxSXEHA.1656@TK2MSFTNGP09.phx.gbl... > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > news:eOj2qnPXEHA.1684@tk2msftngp13.phx.gbl... > >> I'm just trying to explain to the user in more pragmatic terms. I do not >> want them to think that they get SSL "for free" and can go host a > securable >> ecommerce site with SelfSSL and get disappointed. Most users really > cannot >> distinguish encryption and trust when it comes to SSL, and I do not want > it >> to be a barrier to understanding. > > Guys, > > Like I said, I have purchased a real certificate for my live web site - I > just need to simulate the SSL functionality on my private, secure > development machine... > >
I have no idea why you're trying to install Client Certificates when you
want SSL to work on your dev server (i.e. https://localhost to work) -- they are completely orthogonal issues. You only need to install a Cert for the Server to have SSL working, and I recommend you use SelfSSL to do this. Client Certificates implies that you first have SSL working on the Server and THEN you worry about auth via certificates sent by the client. Thus, it is irrelevant whether you followed some instructions to the letter -- you followed the wrong instructions to setup SSL, so it's obviously not working. If you'd run SelfSSL, you will find your dev machine magically responding to https://localhost , and we can all move on... http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en If that doesn't work, run SSLDiag to troubleshoot. http://microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&DisplayLang=en -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Mark Rae" <mark@mark-N-O-S-P-A-M-rae.co.uk> wrote in message news:e3YqeDVXEHA.3988@tk2msftngp13.phx.gbl... "Jerry Pisk" <jerryiii@hotmail.com> wrote in message news:OTR8OLUXEHA.2520@TK2MSFTNGP12.phx.gbl... > Mark, you can also use the same certificate you purchased. Not easily - my ISP purchased it on my behalf and installed it for me...
[quoted text, click to view]
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:eOj2qnPXEHA.1684@tk2msftngp13.phx.gbl... > I'm just trying to explain to the user in more pragmatic terms. I do not > want them to think that they get SSL "for free" and can go host a securable > ecommerce site with SelfSSL and get disappointed. Most users really cannot > distinguish encryption and trust when it comes to SSL, and I do not want it > to be a barrier to understanding. Guys, Like I said, I have purchased a real certificate for my live web site - I just need to simulate the SSL functionality on my private, secure development machine...
[quoted text, click to view]
"Jerry Pisk" <jerryiii@hotmail.com> wrote in message news:OTR8OLUXEHA.2520@TK2MSFTNGP12.phx.gbl... > Mark, you can also use the same certificate you purchased. Not easily - my ISP purchased it on my behalf and installed it for me...
[quoted text, click to view]
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:ul39oAWXEHA.3676@TK2MSFTNGP09.phx.gbl... > If you'd run SelfSSL, you will find your dev machine magically responding to > https://localhost , and we can all move on... Thank you very much, and many apologies for my obvious stupidity. One day I'll know as much as you, and then won't trouble you any more with such asinine posts, OK?
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |