Del via

Differences in SSL request/response flow on IIS6 vs IIS7 (Kernel mode SSL)

  • Artikel

There are so many things which has changed in IIS7 for the better and one of them is about the way SSL works. Although IIS6 allowed kernel mode SSL (starting with Windows 2003 SP1) that wasn't the default option. As far as I know (AFAIK) not many customers used it or knew about it.

Starting with IIS7 kernel mode SSL is going to be the default setting and the only setting. This was primarily for performance reasons. So let us see how it differs.

IIS6 SSL request/response flow

1. Request 2. HTTP.SYS 3. HTTPFilter 4. HTTP.SYS 5. Worker process 6. HTTP.SYS 7. HTTPFilter 8. HTTP.SYS 9. Response (Encrypted Request from client)(Kernel Mode driver for HTTP accepts the request)(Sent to user mode service to decrypt)(Decrypted request comes back)(Sent decrypted request to W3Wp => IIS)(Response comes back from IIS)(Sent again to user mode to encrypt response)(Encrypted response arrives from user mode)(Encrypted response sent back to client)

 

IIS7 SSL request/response flow

1. Request 2. HTTP.SYS 3. Worker process 4. HTTP.SYS 5. Response (Encrypted Request from client)(Kernel Mode driver for HTTP accepts and decrypts using SChannel)(Sent decrypted request to W3Wp => IIS)(Response from IIS is encrypted using SChannel)(Encrypted Response sent back to client)

You know that context switching between kernel mode and user mode is expensive and this new design of how SSL processing is done inside kernel mode increases performance on IIS7.

IIS7 Rocks!!!

Comments

  • Anonymous
    November 26, 2007
    Is the same SSL performance enhancement available in IIS 6 (Win 2003 SP2) if switch from user mode to kernel mode?  If so, can you provide a pointer to how to make that switch? Thanks for the info.  This is useful to know.

  • Anonymous
    November 26, 2007
    The same is available from Windows 2003 SP1 onwards. And this should also give performance benefits. Please make sure you test before enabling it on a production server. More details here... http://msdn2.microsoft.com/en-us/library/aa364671.aspx Registry entry (EnableKernelSSL) mentioned in the above article is obsolete from Windows 2008 onwards since it's the default setting.

  • Anonymous
    November 27, 2007
    Thought of posting this blog entry which would give some changes that are in IIS7 compared to IIS6, and

  • Anonymous
    November 28, 2007
    Thought of posting this blog entry which would give some changes that are in IIS7 compared to IIS6, and

  • Anonymous
    December 26, 2008
    I am currently using client cert authentication in IIS7 and trying to find some performance enhancements. Its good to know that IIS7 by default is set to kernel mode ssl. In the past IIS6 kernel mode ssl did not work for client certs is this still the case with IIS7 kernel mode ssl?  

  • Anonymous
    March 31, 2009
    I'm not sure about the client cert portion of the question (not tried yet). I would suggest to post on iis.net to get a confirmation.