MSSL

[note: IHQ provide no warranty regarding MSSL. This option is provided to ease the process of setting up secure websites within an affordable hosting service, but the proces is nonetheless viable for production use.] 

 

Introduction

MSSL means multiple-SSL, it is a quite simple feature developed by IHQ Inc in order to allow multiple secure websites on the same ip. Traditionally only one secure website per ip was allowed because the first communication request between the browser and the server was already encrypted, and there was no way for the server to know which SSL certificate to use.

 

Recent browsers like Firefox2, Opera9+, and IE7 under windows vista, support a new technology called SNI (servername indication) which use a similar concept to tell a server the intention of entering a secure connection with a particular website before switching to https.

 

MSSL uses 2 concepts. First browsers which support SNI go through the normal process and the server select the requested certificate. For older browsers, MSSL use a different method to signal the intentino od the browser t othe server.

 

Usage

In order to use MSSL on IHQ's servers, it is required to acess secure websites through a switc URL similar to this link :

https://secure-SERVER.ihqh.ca/mssl.php?https://site.client.ihq.ca 

 

The IHQ client can insert such link within his normal website, in order to redirect visitors to the secure webpage when needed. During the first step, the IHQ server select the correct certificate and then, redirect the visiors to the client secure URL. The address bar of the visitor's browser correctly show the URL. In the given example :

https://site.client.ihq.ca 

 

Limitations 

The different situations below can produce error or warnings at times. In any of those cases, going through the MSSL switch URL should correct the situation.

  1. Without SNI, the client ip is used as an identifier, which means that all clients behind a private network, are seen as one. Using the switch URL from any of those client at the same time on the same IHQ server, can result in conflicts when loading certificates.
  2. A client using mssl without SNI can only visit one secure website at the same time, for any IHQ server.
  3. If a client leaves a browser open for a really long time without clicking any link, the indication will be lost and the next click will result in an error.

 

 Demo

This is a demonstration of two MSSL websites and how it works. This first link below is the recommanded way of directing a visitor to your secure website. When you click the link you will be prompted to accept a certificate with the name mssl1.demo.ihq.ca. As you see, the name of the certificate matches the name of the website. The prompt you have from your browser occurs only because this certificate is not signed by a recognized authority. If you purchase a SSL certificate, no prompt will occur when opening your website.

https://secure-relm.ihqh.ca/mssl.php?https://mssl1.demo.ihq.ca/page_en.php

Alternatively you can connect to a second MSSL website using the same ip and located on the same server, using the link:

https://secure-relm.ihqh.ca/mssl.php?https://mssl2.demo.ihq.ca/page_en.php

Finally, if you have a recent browser which support the SNI directive, you could use the links presented at the bottom of this page. However, we don't recommend to use direct slinks for your websites, because you have no control over the browser that your visitors will use. In case a visitor has failed to follow the MSSL link, the dummy certificate : dummy.ihq.ca will be loaded and the visitor will be redirected to the correct MSSL link, if possible. For security reasons, a website will never be displayed with a dummy certificate.

https://mssl1.demo.ihq.ca/page_en.php

https://mssl2.demo.ihq.ca/page_en.php