SSL Changes between IIS 6 & 7

Posted by Amar on April - 26 - 2012

IIS7 is great Web & Application server, where so many things have been changed by Microsoft for providing better performance while comparing to his previous IIS versions. One among them is the way of SSL works.

IIS 6 got the option called kernel mode SSL after upgrading the Windows 2003 Server to Servicepack 1. But mostly no one knew about it or not widely used.

But in the IIS7, kernel mode SSL is the default setting and the only setting. Microsoft makes this change primarily for the performance purpose.  So let us compare the request and response flow of  how SSL works between the IIS 6 & 7.

IIS6 SSL request/response flow

1. Request Encrypted Request from client
2. HTTP.SYS Kernel Mode driver for HTTP accepts the request
3. HTTPFilter Sent to user mode service to decrypt
4. HTTP.SYS Decrypted request comes back
5. Worker process Sent decrypted request to W3Wp => IIS
6. HTTP.SYS Response comes back from IIS
7. HTTPFilter Sent again to user mode to encrypt response
8. HTTP.SYS Encrypted response arrives from user mode
9. Response Encrypted response sent back to client

 

IIS7 SSL request/response flow

1. Request Encrypted Request from client
2. HTTP.SYS Kernel Mode driver for HTTP accepts and decrypts using SChannel
3. Worker process Sent decrypted request to W3Wp => IIS
4. HTTP.SYS Response from IIS is encrypted using SChannel
5. Response Encrypted Response sent back to client

 

This new design of how SSL processing is done inside kernel mode increases performance on IIS7.

Comments are closed.

Twitter updates

No public Twitter messages.

Sponsors