|
Home > Archive > IIS Server Security > June 2004 > Can't get SSL to work locally
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Can't get SSL to work locally
|
|
| Mark Rae 2004-06-27, 7:48 am |
| Hi,
I've recently acquired an SSL certificate on my live web site which I
maintain and develop in C# / ASP.NET with VS.NET 2003. That means I can use
https://www.markrae.co.uk just as well as http://www.markrae.co.uk.
Therefore, I need to be able to simulate this on my development machine.
I followed the MSKB article How To Set Up Client Certificates
(http://msdn.microsoft.com/library/d...n-us/secmod/htm
l/secmod31.asp) to the letter, and am now experiencing the following
behaviour on my development machine:
1) If I browse to http://localhost/markrae, all is fine
2) If I browse to https://localhost/markrae, IIS pops the standard Security
Alert message (which I'd expect), saying that the Security Certificate was
issued by a company I have not chosen to trust etc. So I click Yes, and then
I get "Cannot find server or DNS Error", as if the site I'm trying to browse
to isn't there.
I'm running Windows XP Pro with all the latest security patches.
If I open MMC, expand Internet Information Services and right click on
Properties, C:\WINDOWS\System32\inetsrv\sspifilt.dll is showing as being
installed.
If I right click on Default Web Site and select Properties, the IP address
is set to (All Unassigned), the TCP port is 80 and the SSL port is 443 (not
dimmed).
If I run netstat -an from a command prompt, it has a Local Address entry
for 0.0.0.0:443
I'm clearly missing something glaringly obvious here...
Any assistance gratefully received.
Regards,
Mark Rae
| |
| David Wang [Msft] 2004-06-28, 8:55 am |
| SelfSSL is the easiest way to enable SSL for your server (only works for
testing/private use -- real SSL sites still need to buy their own cert)
http://www.microsoft.com/downloads/...&DisplayLang=en
SSLDiag is the easiest way to check for why SSL is not working on IIS.
http://microsoft.com/downloads/deta...&DisplayLang=en
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Mark Rae" <mark@mark-N-O-S-P-A-M-rae.co.uk> wrote in message
news:eDiUoPEXEHA.4000@TK2MSFTNGP09.phx.gbl...
Hi,
I've recently acquired an SSL certificate on my live web site which I
maintain and develop in C# / ASP.NET with VS.NET 2003. That means I can use
https://www.markrae.co.uk just as well as http://www.markrae.co.uk.
Therefore, I need to be able to simulate this on my development machine.
I followed the MSKB article How To Set Up Client Certificates
(http://msdn.microsoft.com/library/d...n-us/secmod/htm
l/secmod31.asp) to the letter, and am now experiencing the following
behaviour on my development machine:
1) If I browse to http://localhost/markrae, all is fine
2) If I browse to https://localhost/markrae, IIS pops the standard Security
Alert message (which I'd expect), saying that the Security Certificate was
issued by a company I have not chosen to trust etc. So I click Yes, and then
I get "Cannot find server or DNS Error", as if the site I'm trying to browse
to isn't there.
I'm running Windows XP Pro with all the latest security patches.
If I open MMC, expand Internet Information Services and right click on
Properties, C:\WINDOWS\System32\inetsrv\sspifilt.dll is showing as being
installed.
If I right click on Default Web Site and select Properties, the IP address
is set to (All Unassigned), the TCP port is 80 and the SSL port is 443 (not
dimmed).
If I run netstat -an from a command prompt, it has a Local Address entry
for 0.0.0.0:443
I'm clearly missing something glaringly obvious here...
Any assistance gratefully received.
Regards,
Mark Rae
| |
| Jerry Pisk 2004-06-28, 8:55 am |
| David, how does IIS know whether your site is a testing/private site or a
real site? It's a matter of trust, not functionality. IIS works with any
certificate the same way (as long as IIS can trust it), it doesn't care
whether the client will or not. And even with a certificate that's not
trusted, SSL will still work, the traffic will be encrypted. The problem
with certificates that can't be trusted is not that SSL wouldn't work. It's
that you don't know who you're talking to, you can't trust the information
in the certificate (such as the subject).
Jerry
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:utLhrkJXEHA.1356@TK2MSFTNGP09.phx.gbl...
> SelfSSL is the easiest way to enable SSL for your server (only works for
> testing/private use -- real SSL sites still need to buy their own cert)
>
> http://www.microsoft.com/downloads/...&DisplayLang=en
>
>
> SSLDiag is the easiest way to check for why SSL is not working on IIS.
>
> http://microsoft.com/downloads/deta...&DisplayLang=en
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Mark Rae" <mark@mark-N-O-S-P-A-M-rae.co.uk> wrote in message
> news:eDiUoPEXEHA.4000@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I've recently acquired an SSL certificate on my live web site which I
> maintain and develop in C# / ASP.NET with VS.NET 2003. That means I can
> use
> https://www.markrae.co.uk just as well as http://www.markrae.co.uk.
> Therefore, I need to be able to simulate this on my development machine.
>
> I followed the MSKB article How To Set Up Client Certificates
> (http://msdn.microsoft.com/library/d...n-us/secmod/htm
> l/secmod31.asp) to the letter, and am now experiencing the following
> behaviour on my development machine:
>
> 1) If I browse to http://localhost/markrae, all is fine
>
> 2) If I browse to https://localhost/markrae, IIS pops the standard
> Security
> Alert message (which I'd expect), saying that the Security Certificate was
> issued by a company I have not chosen to trust etc. So I click Yes, and
> then
> I get "Cannot find server or DNS Error", as if the site I'm trying to
> browse
> to isn't there.
>
> I'm running Windows XP Pro with all the latest security patches.
>
> If I open MMC, expand Internet Information Services and right click on
> Properties, C:\WINDOWS\System32\inetsrv\sspifilt.dll is showing as being
> installed.
>
> If I right click on Default Web Site and select Properties, the IP address
> is set to (All Unassigned), the TCP port is 80 and the SSL port is 443
> (not
> dimmed).
>
> If I run netstat -an from a command prompt, it has a Local Address entry
> for 0.0.0.0:443
>
> I'm clearly missing something glaringly obvious here...
>
> Any assistance gratefully received.
>
> Regards,
>
> Mark Rae
>
>
>
| |
| David Wang [Msft] 2004-06-28, 8:55 am |
| Don't worry, you're preaching to the choir here.
SelfSSL just lowers the bar to enabling SSL on IIS (many people mistake
needing Certificate Server or is just not possible "for free" with IIS). It
does not attempt to address the issue of trust.
I'm just trying to explain to the user in more pragmatic terms. I do not
want them to think that they get SSL "for free" and can go host a securable
ecommerce site with SelfSSL and get disappointed. Most users really cannot
distinguish encryption and trust when it comes to SSL, and I do not want it
to be a barrier to understanding.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Jerry Pisk" <jerryiii@hotmail.com> wrote in message
news:ediIwfLXEHA.3420@TK2MSFTNGP12.phx.gbl...
David, how does IIS know whether your site is a testing/private site or a
real site? It's a matter of trust, not functionality. IIS works with any
certificate the same way (as long as IIS can trust it), it doesn't care
whether the client will or not. And even with a certificate that's not
trusted, SSL will still work, the traffic will be encrypted. The problem
with certificates that can't be trusted is not that SSL wouldn't work. It's
that you don't know who you're talking to, you can't trust the information
in the certificate (such as the subject).
Jerry
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:utLhrkJXEHA.1356@TK2MSFTNGP09.phx.gbl...
> SelfSSL is the easiest way to enable SSL for your server (only works for
> testing/private use -- real SSL sites still need to buy their own cert)
>
>
http://www.microsoft.com/downloads/...&DisplayLang=en
>
>
> SSLDiag is the easiest way to check for why SSL is not working on IIS.
>
>
http://microsoft.com/downloads/deta...&DisplayLang=en
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Mark Rae" <mark@mark-N-O-S-P-A-M-rae.co.uk> wrote in message
> news:eDiUoPEXEHA.4000@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I've recently acquired an SSL certificate on my live web site which I
> maintain and develop in C# / ASP.NET with VS.NET 2003. That means I can
> use
> https://www.markrae.co.uk just as well as http://www.markrae.co.uk.
> Therefore, I need to be able to simulate this on my development machine.
>
> I followed the MSKB article How To Set Up Client Certificates
>
(http://msdn.microsoft.com/library/d...n-us/secmod/htm
> l/secmod31.asp) to the letter, and am now experiencing the following
> behaviour on my development machine:
>
> 1) If I browse to http://localhost/markrae, all is fine
>
> 2) If I browse to https://localhost/markrae, IIS pops the standard
> Security
> Alert message (which I'd expect), saying that the Security Certificate was
> issued by a company I have not chosen to trust etc. So I click Yes, and
> then
> I get "Cannot find server or DNS Error", as if the site I'm trying to
> browse
> to isn't there.
>
> I'm running Windows XP Pro with all the latest security patches.
>
> If I open MMC, expand Internet Information Services and right click on
> Properties, C:\WINDOWS\System32\inetsrv\sspifilt.dll is showing as being
> installed.
>
> If I right click on Default Web Site and select Properties, the IP address
> is set to (All Unassigned), the TCP port is 80 and the SSL port is 443
> (not
> dimmed).
>
> If I run netstat -an from a command prompt, it has a Local Address entry
> for 0.0.0.0:443
>
> I'm clearly missing something glaringly obvious here...
>
> Any assistance gratefully received.
>
> Regards,
>
> Mark Rae
>
>
>
| |
| Mark Rae 2004-06-28, 7:33 pm |
| "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:eOj2qnPXEHA.1684@tk2msftngp13.phx.gbl...
> I'm just trying to explain to the user in more pragmatic terms. I do not
> want them to think that they get SSL "for free" and can go host a
securable
> ecommerce site with SelfSSL and get disappointed. Most users really
cannot
> distinguish encryption and trust when it comes to SSL, and I do not want
it
> to be a barrier to understanding.
Guys,
Like I said, I have purchased a real certificate for my live web site - I
just need to simulate the SSL functionality on my private, secure
development machine...
| |
| Jerry Pisk 2004-06-28, 7:33 pm |
| Mark, you can also use the same certificate you purchased. You will get
warnings about the common name not being the same as the address of the site
but if it's just for testing that might be fine. As you can see there are
quite a few options...
Jerry
"Mark Rae" <mark@mark-N-O-S-P-A-M-rae.co.uk> wrote in message
news:OClJfxSXEHA.1656@TK2MSFTNGP09.phx.gbl...
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:eOj2qnPXEHA.1684@tk2msftngp13.phx.gbl...
>
> securable
> cannot
> it
>
> Guys,
>
> Like I said, I have purchased a real certificate for my live web site - I
> just need to simulate the SSL functionality on my private, secure
> development machine...
>
>
| |
| Mark Rae 2004-06-28, 7:33 pm |
| "Jerry Pisk" <jerryiii@hotmail.com> wrote in message
news:OTR8OLUXEHA.2520@TK2MSFTNGP12.phx.gbl...
> Mark, you can also use the same certificate you purchased.
Not easily - my ISP purchased it on my behalf and installed it for me...
| |
| David Wang [Msft] 2004-06-28, 7:33 pm |
| I have no idea why you're trying to install Client Certificates when you
want SSL to work on your dev server (i.e. https://localhost to work) -- they
are completely orthogonal issues. You only need to install a Cert for the
Server to have SSL working, and I recommend you use SelfSSL to do this.
Client Certificates implies that you first have SSL working on the Server
and THEN you worry about auth via certificates sent by the client. Thus, it
is irrelevant whether you followed some instructions to the letter -- you
followed the wrong instructions to setup SSL, so it's obviously not working.
If you'd run SelfSSL, you will find your dev machine magically responding to
https://localhost , and we can all move on...
http://www.microsoft.com/downloads/...&DisplayLang=en
If that doesn't work, run SSLDiag to troubleshoot.
http://microsoft.com/downloads/deta...&DisplayLang=en
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Mark Rae" <mark@mark-N-O-S-P-A-M-rae.co.uk> wrote in message
news:e3YqeDVXEHA.3988@tk2msftngp13.phx.gbl...
"Jerry Pisk" <jerryiii@hotmail.com> wrote in message
news:OTR8OLUXEHA.2520@TK2MSFTNGP12.phx.gbl...
> Mark, you can also use the same certificate you purchased.
Not easily - my ISP purchased it on my behalf and installed it for me...
| |
| Mark Rae 2004-06-29, 3:16 am |
| "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:ul39oAWXEHA.3676@TK2MSFTNGP09.phx.gbl...
> If you'd run SelfSSL, you will find your dev machine magically responding
to
> https://localhost , and we can all move on...
Thank you very much, and many apologies for my obvious stupidity. One day
I'll know as much as you, and then won't trouble you any more with such
asinine posts, OK?
|
|
|
|
|