Kernel-Mode SSL

  • Article

Applies To: Windows Server 2003 with SP1

In Windows Server 2003 Service Pack 1 (SP1) and later, you can run SSL in kernel mode instead of the default user mode. Kernel mode operation means that components or processes run in the core address space of the operating system.

Running SSL in kernel mode improves SSL performance by moving encryption and decryption operations to the kernel, thereby reducing the number of transitions between kernel mode and user mode.

The following restrictions apply to running SSL in kernel mode:

  • Client certificates are not supported.

  • RC2 ciphers are not supported.

  • The Private Communications Technology (PCT) 1.0 protocol is not supported.

  • Configuration changes to server certificates require a restart of the HTTP service.

  • ISAPI GetServerVariable calls for certificate information do not work.

  • Bulk encryption offload is not supported.

  • ISAPI filters do not get READ RAW notifications regardless of the security of the connection. This restriction affects only IIS 5.0 compatibility mode, because IIS 6.0 worker process isolation mode does not support READ RAW DATA filters regardless of the setting for kernel-mode SSL.

For information about enabling kernel-mode SSL, see Enabling Kernel Mode SSL.