IIS and HTTPS Binding with Host Header

Well, the title may not be entirely accurate. Honestly, I didn’t know what to title this post — let me explain what I observed and how I was able to get around the issue.

The default behavior in IIS is that you can only bind a SSL certificate to a specific site. And, by default, you cannot specify the host header value for the binding. What this means is that the SSL certificate is now bound to port 443 for all sites using the IP address specified. If you look at the screen shot below, you will notice that the Host name field is grayed out, and we are unable to populate this.

The default behavior for binding an SSL certificate is to only allow the certificate to be bound to a single site, without a host name specified.

The default behavior for binding an SSL certificate is to only allow the certificate to be bound to a single site, without a host name specified.

Read more

PNG Support for PHP on OS X Yosemite

I recently upgraded to OS X Yosemite and ran into a small issue when attempting to create an image resource from a string. Here is what I am attempting to do:

  1. Parse HTML to obtain images on page
  2. Download each image
  3. Check that the image is large enough (to avoid little icon graphics/etc)
  4. Resize the image to a standard height and width

The issue is that after upgrading to OS X Yosemite the PHP build that ships with OS X does not have PNG support enabled. It’s honestly a bit surprising that this was excluded from the build. Here is the error message that I received

Warning (2): imagecreatefromstring(): No PNG support in this PHP build

Read more

Redirect to HTTPS

As part of my series on migrating a site to support HTTPS we are finally at the step where we will implement the redirect that will ensure our users are always using the HTTPS site. In this article I will show how to implement this redirect using:

  • Apache’s Mod Rewrite
  • IIS Rewrite

In the examples and instructions below I am going to be using Apache on my local Mac development environment and Windows Server 2008 R2 with IIS 7.5 for the production environment. The code for the Apache Mod Rewrite implementation can also be used if you are using Helicon’s ISAPI Rewrite module for IIS. This makes it possible to use the same .htaccess file on both my development (Mac) and production (Windows) environment.

Read more

Enabling Strict Transport Security (HSTS)

 

SSL with HSTS

I am continuing a series of articles focused on migrating a website to support HTTPS Everywhere. The goal of HTTPS Everywhere is to have the entire web be secure using the latest security and best practices. However, we also have to be aware of the possible performance implications with using HTTPS.

The first step we took to improve performance over HTTPS was to enable the keep-alive connection header. The next step we want to take now is to enable the strict transport security (HSTS) header. The HSTS header instructs your user’s browser to only connect to the current domain, and optionally all subdomains, using a secure connection.

In this article I will cover:

  • Why use HSTS?
  • Implementation in Apache and IIS
  • Testing to make sure it works

Before we get started, however, let me quickly point out that HSTS header is widely accepted by major browsers except for Internet Explorer up to 11, though Microsoft has announced that IE 12 will support HSTS.

Read more

Keep-Alive and HTTPS

Keep-Alive

As part of a series on setting up HTTPS Everywhere I am migrating a website to use HTTPS for all requests. So far we have configured the server with a SSL Certificate to serve our content via HTTPS, as well as doing some configuring of our SSL engine to ensure that we are use the latest security protocols and ciphers.

Now, we are going to fine tune our web server for HTTPS. Tuning your code and server for performance, both on the server and on the client, is important no matter if you are using HTTPS or not. However, as part of our migration to HTTPS we want to ensure that we reduce and performance issues or bottlenecks before they arise. Heck, we want to keep our load time under 1s.

Read more

HTTPS Protocols and Ciphers

 

https-protocols-ciphers

As part of a series on using HTTPS Everywhere we are migrating a website from HTTP to HTTPS. Previously we configured our web server with an SSL certificate, and we are now ready to configure the SSL engine on our server.

For this article I will mention the best practices for configuring both your Apache and IIS web server. For the IIS configuration I will be using the free IIS Crypto tool by Nartac Software.

FWIW, I am not a security expert. So, I am following the best practices as prescribed by Mozilla on their server side TLS article.

Read more