I have multiple sites setup on IIS 6 with host headers. One of those sites has an SSL certificate installed. So now if any of the non-SSL-enabled sites is requested with HTTPS it loads the SSL-enabled site and gives a security warning.
How can I prevent the non-SSL sites from loading anything if they are requested with https? I would prefer it to throw the standard "Server not found" message. Is that possible?
The only way to achieve this with IIS 6 is to put the SSL-enabled site onto its own IP address and set IIS up not to listen on port 443 of the main IP address.
In SSL (without Server Name Indication - not yet supported by IIS), the client validates the server's certificate before it sends the requested hostname to the server. The server has to choose a certificate to send based on just the IP address.
No true.
Use header host for ssl and only specify for the SSL enabled site th correct host header.
cscript.exe adsutil.vbs set /w3svc//SecureBindings ":443:www.yourcustomer.com"