IBM Support

SSL connection uses first match for IP address instead of match for host name entered by web browser

Technote (troubleshooting)


Problem

For a Lotus Domino server, you create multiple Internet Sites -> Web Site documents and configure them for SSL. Internet Site documents allow for more than one Site document per IP address, each based on one or more host names. Each Site document has its own settings for security, including an SSL key file.

If you enter the same IP address in more than one Web Site document, however, only the first one is used for SSL connections no matter which host name is entered in the Web browser.


Resolving the problem

Domino is working as designed. Only one SSL enabled Internet Site document is allowed per IP address.

Internet Site documents work by retrieving the Host header sent by the client. For a Web browser, this Host header is the server name or IP address entered in the URL. Domino compares this header to the Internet Site documents and uses the matching site (or the default if no specific match).

SSL must be established before the server reads the header information sent by the client. Therefore, the server must establish the SSL connection using a key file from a Site document before it is able to determine what the Host header has specified. Domino uses the first Site document that contains the IP address to which the browser connected. Any other Internet Site documents configured for SSL with that same IP address are in effect ignored. These documents are still usable for non-SSL connections but cannot be used for SSL connections.

Note: You must specify an IP address in the Internet Site document or Domino returns an error. For more information, refer to technote "Error: "SSL Handshake failure, no website found for IP address [x.xx.xx.xxx]"" (#1104852 ).

When using SSL, it is also important to ensure that you have Internet Site documents defined for any additional non-SSL aliases. SSL-enabled Internet Site documents have the IP address listed in the host names or addresses mapped to this site field. Therefore, it cannot be expected that non-SSL DNS aliases will be answered by the default Internet Site. Non-SSL aliases are routed to the Internet Site document containing the IP address if no matching host names are found, so you should define Internet Site documents for non-SSL aliases as well.

Related information

Error: "SSL Handshake failure. No website found for IP"

Document information

More support for: IBM Domino
Security

Software version: 6.5, 7.0, 8.0, 8.5, 9.0, 9.0.1

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 1173919

Modified date: 08 June 2009