Differences in SSL request/response flow on IIS6 vs IIS7 (Kernel mode SSL)

Posted: Nov 26, 2007  1 comments  

Average Rating

Tags
IIS7

Share this Post

There are so many things which has changed in IIS7 for the better and one of them is about the way SSL works. Although IIS6 allowed kernel mode SSL (starting with Windows 2003 SP1) that wasn't the default option. As far as I know (AFAIK) not many customers used it or knew about it.

Starting with IIS7 kernel mode SSL is going to be the default setting and the only setting. This was primarily for performance reasons. So let us see how it differs.

IIS6 SSL request/response flow

1. Request
2. HTTP.SYS
3. HTTPFilter
4. HTTP.SYS
5. Worker process
6. HTTP.SYS
7. HTTPFilter
8. HTTP.SYS
9. Response
(Encrypted Request from client)
(Kernel Mode driver for HTTP accepts the request)
(Sent to user mode service to decrypt)
(Decrypted request comes back)
(Sent decrypted request to W3Wp => IIS)
(Response comes back from IIS)
(Sent again to user mode to encrypt response)
(Encrypted response arrives from user mode)
(Encrypted response sent back to client)

 

IIS7 SSL request/response flow

1. Request
2. HTTP.SYS
3. Worker process
4. HTTP.SYS
5. Response
(Encrypted Request from client)
(Kernel Mode driver for HTTP accepts and decrypts using SChannel)
(Sent decrypted request to W3Wp => IIS)
(Response from IIS is encrypted using SChannel)
(Encrypted Response sent back to client)

You know that context switching between kernel mode and user mode is expensive and this new design of how SSL processing is done inside kernel mode increases performance on IIS7.

IIS7 Rocks!!!

Submit a Comment

  • Plain text is accepted.
  • URLs starting with http:// are converted to links.