I'm looking for a very specific situation here with this Poodle exploit. I have a need to disable SSL v2/3 on a subset of my IIS websites, but leave SSL 2/3 available on a few others. Is it possible to do this with IIS 7.5?
Asked
Active
Viewed 827 times
4
-
4As far as I know, on Windows you can only do it system-wide. – Michael Hampton Oct 17 '14 at 18:34
-
The client first connects via TLS/SSL and then says which website he wants to see. – sebix Oct 17 '14 at 18:49
-
@sebix If you are using Per-IP hosting, then the name passed after TLS has been negotiated shouldn't matter. It seems like it would be useful to have different bound IPs or ports with different TLS settings. – Zoredache Oct 17 '14 at 19:12
1 Answers
2
As far as I'm aware the SSL settings in IIS are system wide. I have spent a lot of time on this and the only references I've found are for schannel and system wide.
I've dealt with this in the past by using an Apache instance as a proxy.
I've set this up either running on a separate VM or running on the same server, depending on the client. Using mod proxy and per-vhost ssl configuration works well.
When using a single host setup, I adjusted the IIS sites to listen on localhost only and the external IP for Apache.
Skyhawk
- 14,200
- 4
- 53
- 95
Tim Brigham
- 15,545
- 10
- 75
- 115