IIS - site offline but handshake phase done properly

Today I want to share with you an interesting scenario introduced by one of my customers. Let me give you a picture about where we are:

  • We have a Web Server with two ip addresses configured on top of it.
  • Two web sites are hosted on mentioned Web Server. Let’s call them site1 and site2. Both sites are available over HTTPs to final users and each site uses is own ip address. To be clear:
    • Site1 – ip1:443
    • Site2 – ip2:443

In case that you configure one of your web sites offline (basically you stop it), IIS participates to SSL handshake phase https://support.microsoft.com/kb/257591/en-gb even if associated site is off line.

As results, IIS sends out the SSL certificate to final user and after that an HTTP 404. How is it possible? Let’s try to answer about this question:

https://support.microsoft.com/kb/175952/en-gb

“The Winsock application that is listening on the designated port was written so that it binds to any local IP address by using INADDR_ANY. This means that the application will listen to all local interfaces and you can connect to the port of any of them. This is why netstat -an shows IP address 0.0.0.0 listening on the port.”            

What previous KB reports is clear: each time that an application defines a socket for a specific ip/port, Winsock takes care to listen for incoming requests to the specified port without restricting this operation on a specified ip. This is the default behavior.

Coming back to our scenario! Even if one site is stopped, the second one is working on port 443. What does it mean? Winsock listens on port 443. We can check this by running following command:

netstat -ano |findstr :443

TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4

As soon as an incoming connection comes-in for off line site, it finds-out a process who is listening on this port on server side: Winsock. This one completes the handshake phase sending out the configured SSL certificate to client. After handshake phase is completed, the request is moved to IIS so it answers with 404.

Is it possible to avoid this? Yes of course, by instructing WinSock to listen only the specified ip instead of all available IPs on the machine: https://support.microsoft.com/kb/954874/en-gb. In our case:

netsh http add iplisten ip1

netsh http add iplisten ip2

properly restart the services.

Of course after stopping web site, we have to instruct Winsock to not listen incoming connections on the web site ip:

netsh http del iplisten xxx.xxx.x.x

Enjoy your IIS administration! Hot smile

Carmelo