The SSL implementation has changed in IIS 7.0.
Windows Server 2003 stores all SSL configurations in the IIS metabase,
and encryption and decryption happen in user mode. This requires a lot
of back-and-forth communication between kernel and user mode. In Windows
Server 2008, HTTP.sys handles SSL encryption and decryption in kernel
mode. Secure connections should have up to 20 percent better performance
than IIS 6.0. The performance gains for decrypting data are evident
because the need to bounce back and forth from kernel mode to user mode
has been greatly reduced.
To move SSL into
kernel mode, IIS 7.0 requires SSL binding information to be stored in
two locations. The binding information is stored in
%windir%\system32\inetsrv\applicationHost.config for each site. When the
site starts, IIS sends the binding to HTTP.sys, and HTTP.sys starts
listening for requests on the specified IP:port. The second part of SSL
configuration is stored in HTTP.sys configuration. You can use Netsh to
view SSL binding configuration stored in HTTP.sys.
Note
Netsh
is a command line scripting utility that allows you to, either locally
or remotely, display or modify the network configuration of a computer
that is currently running. Netsh also provides a scripting feature that
allows you to run a group of commands in batch mode against a specified
computer. Netsh can also save a configuration script in a text file for
archival purposes or to help you configure other servers. For more
information about Netsh, go to http://technet.microsoft.com and search for Netsh overview. |
Here is an example
showing a sample binding to 192.168.0.10. The IP address is the same
that would be listed in the Web site bindings.
netsh http show sslcert
SSL Certificate bindings:
-------------------------
IP:port : 192.168.0.10:443
Certificate Hash : 63ca21f32543806959aed570a081fb3f311f958a
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
When
a client starts an SSL negotiation, HTTP.sys looks in its SSL
configuration for the IP and port pair that the client connected to. For
the SSL-based request to succeed, the HTTP.sys SSL configuration must
include a certificate hash and name of the certificate’s store.
SSL accelerators come
in two forms: an external device and internal card. An external device
is useful when you want to add capacity on demand or make sure there is
room to grow. As your requirements for SSL increase, you can add devices
to handle the load. An internal card, usually a PCI card, will take the
load off the Web server by handling the encryption and decryption. As
computers continue to get faster and add more CPU cores, there may no
longer be any need for the external device.
Whatever solution you
decide regarding SSL will depend on your application needs. IIS 7.0 has
improved the performance of how it handles SSL, compared to IIS 6.0.
After you have load-tested your application, only then will you
determine if you need an external device.
No matter which way you
proceed, following best practices, you should put your application in a
controlled environment and load-test it. If you determine under load
that your servers can handle all the operations, then this can help
determine what your production environment will look like. Testing will
help you clarify your decision about SSL performance.
