设置服务器名称指示(SNI)取消证书绑定 [英] Setting Server Name Indication (SNI) takes off certificate binding

问题描述

我正在使用Microsoft.Web.Administration(在Wix CustomAction内部)来配置服务器名称指示并绑定到IIS 8.5站点上的现有服务器证书.

I'm using Microsoft.Web.Administration (inside a Wix CustomAction) to configure Server Name Indication and bind to an existing server certificate on a IIS 8.5 site.

结果是，设置SNI会取消证书绑定.以下代码将使事情变得更清楚:

Turns out, setting SNI takes off the certificate binding. The following code will make things clearer:

using Microsoft.Web.Administration;

var binding = site.Bindings.FirstOrDefault(x => x.IsIPPortHostBinding && x.Host == sitename);

binding.CertificateHash = certificate.GetCertHash();
binding.CertificateStoreName = store.Name;

// this statement is causing the certificate info to get messed up.
binding["sslFlags"] = 1; // or binding.SetAttributeValue("sslFlags", 1);

结果:

使用 binding["sslFlags"] = 1;

无 binding["sslFlags"] = 1;

这是错误还是我错过了什么?如何使SNI和证书绑定都保持不变?

Is this a bug or am I missing something? How can get both SNI and Certificate binding to stick?

推荐答案

似乎Microsoft.Web.Administration v7.0是这里的罪魁祸首.这是NuGet画廊上的官方版本，它似乎主要用于IIS 7(我的意思是它可以用于IIS 7和8中的通用功能，但是7所没有的任何功能都会产生类似于上面的怪异结果).

It seems Microsoft.Web.Administration v7.0 is the culprit here. This is the official one on NuGet gallery and it seems that it is meant for IIS 7 mainly (I mean it'll work for features common in both IIS 7 & 8 but anything that 7 doesn't have will have weird results like above).

使用 IIS.Microsoft.Web.Adminstration (其中似乎是针对IIS 8.5的社区上载程序包).从此答案中获得了提示.

Using IIS.Microsoft.Web.Adminstration (which seems to be a community uploaded package for IIS 8.5) works. Got the hint from this answer.

更新的代码:

binding.CertificateHash = certificate.GetCertHash();
binding.CertificateStoreName = store.Name;

binding.SslFlags = SslFlags.Sni;  // <<< notice it has helpful enums

这篇关于设置服务器名称指示(SNI)取消证书绑定的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！