I have an IIS server hosting:
example.com/www.example.com
sub1.example.com
sub2.example.com
They are listed as 3 separate sites under IIS, all bind to the same IP over HTTPS on 443. But they all use the same SSL certificate which is a wild card certificate covering *.example.com
In this scenario, my understanding is that SNI isn't necessary, because whichever certificate the server serves for any request (which is the same certificate) will work for all sites anyway, correct? I tested it myself and it seems to be working, but I just want to make sure doing so won't cause any unexpected ill results for certain users (I do not want to use SNI if possible because I do want Windows XP support for these sites)
Out of curiosity, I do want to know when you have a setup like this (multiple sites over SSL on same IP but not enable SNI), how exactly does IIS decide which certificate to serve (the first 443 binding on an IP? Or the last one used?)
Furthermore, if this setup works, in the future if I were to add example.org into the same IIS server, and using a different SSL certificate, can I enable SNI for example.org only and not affect the other 3 sites?
Best Answer
The rule of thumb is that at HTTP API level,
When SSL/TLS handshake starts, SNI mappings would be scanned first to match the host name in the request (from SNI aware browsers). If no SNI mapping matches, then the IP based mapping is scanned. That's the order of resolution.
In your case, as you only have a wildcard certificate, configuring multiple sites in IIS Manager won't overwrite the IP based mapping, and should work flawlessly .
However, when you try to configure the second domain with another certificate, you cannot use the same IP address (as that IP:443 mapping already exists). If you force to configure that in IIS Manager, then the previous certificate should be overwritten. Of course, SNI mapping can be used then.