I have implemented ssl using the same IP for a few websites but using another port for ssl which solves this issue.
From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of David Connors Sent: Thursday, 14 April 2011 1:27 PM To: ozDotNet Subject: Re: adding ssl to asp.net website On Wed, Apr 13, 2011 at 10:36 PM, Richard Carde <rich...@carde.id.au> wrote: I think you disregarded the part about 'falling back'. If you've committed to securing the login process via SSL then you've used that IP address already. Yes, there's overhead. Yes, you might need more than 1 IP - but only if you need to secure other content to avoid creating issues related to mixed-mode security - fetching non-secure (static) content from other hosts or if you're using a CDN. But isn't your customer's security more important? I would argue that smaller shops would host all content from the same server or reference ssl-enabled CDNs. Larger shops possibly reverse proxy content from a single listener which requires only a single IP address. Slightly related to this, a mate mentioned to me a couple of weeks ago that there is such a thing as SSL over a shared IP. This conversation prompted me to mail him and ask him and it turns out that there is a TLS extension called SNI (Server Name Identification) that allows the server name to be known and the correct certificate to be selected, prior to the negotiation of the TLS channel (RFC4366) - it has been around since 2006 - given how much I tend to have my snout in this sort of stuff I am surprised I have only heard about it now. Apache supports SNI - No idea about IIS7.5. -- David Connors | <mailto:da...@codify.com> da...@codify.com | <http://www.codify.com> www.codify.com Software Engineer Codify Pty Ltd Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 189 363 V-Card: <https://www.codify.com/cards/davidconnors> https://www.codify.com/cards/davidconnors Address Info: <https://www.codify.com/contact> https://www.codify.com/contact
