5

We are nearing the end of a lot of changes to make our application work in Azure and we want to use the Virtual Machines, not the typical roles way of deploying machines.

Getting to the end I started to make check lists of things I needed to do and I can't seem to find anything that documents using multiple SSLs on the same virtual machine. I have come across some posts on SNI but after reading up on SNI it does not support Windows XP. After researching our user base, 1/3 of our users access from a Windows XP machine which makes SNI useless.

Am I missing something as this seems like a massive oversight in architecture if a VM cannot support multiple SSL certificates?

Does anyone have anything working inside Azure which supports multiple SSLs on the one VIP address?

Chris Lomax
  • 137
  • 2
  • 12

3 Answers3

1

I agree with Robert.

I'm a Microsoft Technical Evangelist and I recently helped one of my partners to implement a SNI automation solution for Cloud Services (detailed explanation and sample "plug & play" source-code at http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/).

Although many statistics indicate that Internet Explorer running on Windows XP is relevant, in reality it may be not for your audience.

For instance, if you want to use SSL because you run an e-commerce website, I'm positive your audience (people that have a credit card and are willing to use it on internet purchases) are probably not using Windows XP anymore. At least, that is the case of dozens of e-commerce partners I have in Brazil...

Vitor Ciaramella
  • 440
  • 3
  • 4
  • It's not just IE on XP (which some people still use, sometimes without a choice in the corporate world), there are also plenty of mobile devices that don't support SNI. – Bruno Apr 04 '13 at 12:44
0

AFAIK you have the following choice:

  1. Use SNI with one IP
  2. Set-up your domains to use non-standard SSL ports
  3. Use one IP-address per SSL domain.

The only chance would be if your domains are all subdomains of one domain. then a wildcard certuficate would be the best choice.

BTW: SNI is on WinXP only unsupported in IE. Other browser like Firefox, Chrome, Opera do support SNI on XP.

Robert
  • 39,162
  • 17
  • 99
  • 152
  • Unfortunately we are a creative agency with many clients, all the domains would be different. Just checking on your comment for XP and IE, that is 4/5 of the 1/3 so that is still very high. It's a figure we cannot ignore. Would you mind elaborating on point 2? Would I need to make sure if I am accessing from an HTTPS page that I specify the port? I'm disappointed that Microsoft has launched the ability to have VMs and they don't support multiple IP bindings of some sort. – Chris Lomax Oct 10 '12 at 11:40
  • If you want to set-up multiple SSL domains with one IP without SNI there is the possibility to use one port for each domain. But that would be visible to the users in the address bar. And furthermore if the user wants to visit "domain1.example" which runs on port 8443 but enters the url directly "https://domain.example" instead of "https://domain.example:8443" the user will see a security warning because there is a mismatch between DNS name and certificate as on port 443 runs a different domain. Hence this is IMHO only a solution for internal or test servers. – Robert Oct 10 '12 at 11:55
  • Yes I thought so, thanks Robert. Massive pain in the ass this really so I am hoping that Microsoft pull their finger out before I am ready to do a full deployment to their servers. It would have been better if I could remap the connection based on headers sent then I could have mapped to a different port internally, don't even know if that is possible but I was hoping that's what you were trying to get at. – Chris Lomax Oct 10 '12 at 12:08
  • The is the general problem - without SNI there are no headers sent to the server on which base you could redirect the traffic. Therefore the only solution would be to wait until IE-XP usage drops. May be you should ask your clients to add banners for IE-XP users to show that their browser is outdated and should be replaced... – Robert Oct 10 '12 at 12:11
  • Looking through the stats, it only appears to be a couple of sites that this affects. I may have to bring up 2 extra load balanced clusters for these websites until they support multiple VIPs. I appreciate your input Robert, thanks. On a side note, I wish the banner was an option, I think the user that is on XP and IE is either forced or doesn't even know what a "browser" is. I once changed a relatives machine to use Chrome by default and they asked where the "internet" had gone. Even explaining didn't help, just had to put IE back on. – Chris Lomax Oct 10 '12 at 12:34
  • Another solution is to use a single certificate with multiple SANs. It's similar to using a wildcard cert, but can work with unrelated domains. The procedure to get such a cert (with un-related domains) from a CA could be tedious, though. – Bruno Apr 04 '13 at 12:43
0

Now you can have multiple Public Virtual Ips on Azure VM allowing multiple SSLs, at a cost of about $3/month. See pricing and howto.

Joao Leme
  • 9,598
  • 3
  • 33
  • 47
  • This model works if you don't mind putting it behind a cloud service and having internal ports to manage the different SSL bindings. This works fine on IIS as you manage the setup yourself but we have cPanel installed and it's a headache when trying to setup different ports on cPanel. Also, all the management is done through Powershell as they don't currently support all this through the Azure interface. It's not a major task to perform but it's a lot scarier to commit something through Powershell and hope it doesn't take the whole cluster down than through an interface. – Chris Lomax Aug 01 '16 at 09:36