Welcome to MSDN Blogs Sign in | Join | Help

Differences in SSL request/response flow on IIS6 vs IIS7 (Kernel mode SSL)

There are so many things which has changed in IIS7 for the better and one of them is about the way SSL works. Although IIS6 allowed kernel mode SSL (starting with Windows 2003 SP1) that wasn't the default option. As far as I know (AFAIK) not many customers used it or knew about it.

Starting with IIS7 kernel mode SSL is going to be the default setting and the only setting. This was primarily for performance reasons. So let us see how it differs.

IIS6 SSL request/response flow

1. Request
2. HTTP.SYS
3. HTTPFilter
4. HTTP.SYS
5. Worker process
6. HTTP.SYS
7. HTTPFilter
8. HTTP.SYS
9. Response		 (Encrypted Request from client)
(Kernel Mode driver for HTTP accepts the request)
(Sent to user mode service to decrypt)
(Decrypted request comes back)
(Sent decrypted request to W3Wp => IIS)
(Response comes back from IIS)
(Sent again to user mode to encrypt response)
(Encrypted response arrives from user mode)
(Encrypted response sent back to client)

 

IIS7 SSL request/response flow

1. Request
2. HTTP.SYS
3. Worker process
4. HTTP.SYS
5. Response		 (Encrypted Request from client)
(Kernel Mode driver for HTTP accepts and decrypts using SChannel)
(Sent decrypted request to W3Wp => IIS)
(Response from IIS is encrypted using SChannel)
(Encrypted Response sent back to client)

You know that context switching between kernel mode and user mode is expensive and this new design of how SSL processing is done inside kernel mode increases performance on IIS7.

IIS7 Rocks!!!

Published Monday, November 26, 2007 7:08 AM by sukeshak
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

Monday, November 26, 2007 11:30 AM by Scott

# re: Differences in SSL request/response flow on IIS6 vs IIS7 (Kernel mode SSL)

Is the same SSL performance enhancement available in IIS 6 (Win 2003 SP2) if switch from user mode to kernel mode?  If so, can you provide a pointer to how to make that switch?

Thanks for the info.  This is useful to know.

Tuesday, November 27, 2007 3:41 AM by sukeshak

# re: Differences in SSL request/response flow on IIS6 vs IIS7 (Kernel mode SSL)

The same is available from Windows 2003 SP1 onwards. And this should also give performance benefits.

Please make sure you test before enabling it on a production server.

More details here...

http://msdn2.microsoft.com/en-us/library/aa364671.aspx

Registry entry (EnableKernelSSL) mentioned in the above article is obsolete from Windows 2008 onwards since it's the default setting.

Wednesday, November 28, 2007 7:54 AM by

# IIS7 - Few things to be known and to be remembered

Thought of posting this blog entry which would give some changes that are in IIS7 compared to IIS6, and

Wednesday, November 28, 2007 8:10 AM by Noticias externas

# IIS7 - Few things to be known and to be remembered

Thought of posting this blog entry which would give some changes that are in IIS7 compared to IIS6, and

Friday, December 26, 2008 3:19 PM by ttchang

# re: Differences in SSL request/response flow on IIS6 vs IIS7 (Kernel mode SSL)

I am currently using client cert authentication in IIS7 and trying to find some performance enhancements. Its good to know that IIS7 by default is set to kernel mode ssl. In the past IIS6 kernel mode ssl did not work for client certs is this still the case with IIS7 kernel mode ssl?  

Wednesday, April 01, 2009 2:56 AM by sukeshak

# re: Differences in SSL request/response flow on IIS6 vs IIS7 (Kernel mode SSL)

I'm not sure about the client cert portion of the question (not tried yet). I would suggest to post on iis.net to get a confirmation.

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
 
Page view tracker