I have multiple sites setup on IIS 6 with host headers. One of those sites has an SSL certificate installed. So now if any of the non-SSL-enabled sites is requested with HTTPS it loads the SSL-enabled site and gives a security warning.
How can I prevent the non-SSL sites from loading anything if they are requested with https? I would prefer it to throw the standard "Server not found" message. Is that possible?
Best Answer
The only way to achieve this with IIS 6 is to put the SSL-enabled site onto its own IP address and set IIS up not to listen on port 443 of the main IP address.
In SSL (without Server Name Indication - not yet supported by IIS), the client validates the server's certificate before it sends the requested hostname to the server. The server has to choose a certificate to send based on just the IP address.