IIS 7 adding SSL to one site, all other sites responds to https request

Question

I have multiple sites running on my IIS, now for one of the websites (SiteB) we need to support ssl requests. I have enabled it editing bindings for the website, but the problem is when I selected protocol SSL editing bindings HostName field is disabled, being unable to set hostname to respond to https request, this causes that all sites of my IIS if are requested with https:// loads web site of siteB.

For example my bidings are the next

Site A

 IP  Port HostName
 *     80 www.sitea.com

Site B
 IP Port Hostname
 *   443 www.siteb.com
 *    80 www.siteb.com

If I type https://www.siteb.com in my browser it works correctly, but if I type https://www.sitea.com in the browser, siteb webpage is loaded with the hostname of sitea.

How Can I make that only https://www.siteb.com responds to https requests on my IIS?

I have tried with command appcmd too but It't doesnt work.

appcmd set site /site.name:{sitB} /bindings.[protocol='https',bindingInformation='*:443:*'].bindingInformation:*:443:siteB.com 

Thanks for your help.

Answer 1

The Root Problem
This unexpected behavior isn't because of IIS so much as it is because of the web encryption protocols.

The two major web encryption protocols are SSL and TLS. Both of these protocols negotiate a secure connection before passing any request information to the server. This means that, on secure requests, servers don't actually learn the hostname until after the secure connection is made.

An extension to TLS and SSL has been created to address this limitation. It's called SNI (Server Name Identification). The problem is that this extension needs to be supported on both the server and client machines. Currently the client browser support is somewhat spotty. See the SNI article for a browser list.

IIS's Handling Of The Problem
It is because of the above mentioned hostname limitation that IIS doesn't allow you to bind hostnames to HTTPS bindings. There is no way for IIS to route HTTPS requests to a particular hostname since it doesn't know the requested hostname when it first begins to negotiate the connection.

Once IIS has negotiated a secure connection with a client and learns that their requested hostname is for a site other than the one with the HTTPS binding (e.g. a request for https://sitea.com) IIS can either return a failure code or try to fail gracefully. IIS chooses the latter and tries to fail gracefully by serving up the site with the HTTPS binding even though the user is requesting a different site.

Solutions/Workarounds

• Create a rewrite rule to redirect all HTTPS requests for nonsecure websites to HTTP.
• Upgrade to IIS 8 to use the SNI extension. Then ask visitors to upgrade to browsers that suport SNI.
• Have your secure site return an error message when it receives a request for a different domain.
• Bind by IP address instead of hostname since IIS can route HTTPS requests by IP address

References
Most of my information came from the Wikipedia article on SNI

Answer 2

We run webservers with multiple sites requiring SSL with no problem.

If I understand your problem correctly - you'll need to set up a binding instead of a host name - which won't work. So, for each SSL-enabled site we host, we require a distinct external IP address. Then, enter that IP address as the binding when setting up the site in IIS.