Sean,
You are doing it mostly right. You just need to disable https on your IIS. That
is, remove site bindings on port 443. Google for this if you don't know how to
do it.
After you release port 443, configure stunnel to bind to port 443 and restart
it.
Also, you should configure IIS to bind only on the loopback interface to
prevent clear text connections on port 80 from external clients. Your [https]
section in stunnel.conf should look like this:
; TLS front-end to a web server
[https]
accept = 10.0.1.11:443
connect = 127.0.0.1:80
cert = C:\Program Files\stunnel\config\mywebsite.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0
You should remove your [domain] section. You may need to add SNI entries to
your [https] section.
Regards,
Jose
On Wednesday, February 26, 2020, 02:53:08 PM GMT-5, Sean Kelley
<[email protected]> wrote:
Issue:
Old Windows Server cannot be upgraded, but needs TLS 1.2 encryption. Stunnel
looks like a solution, but I'm having issues configuring it to work (It is
"running" successfully with a pem file and port 442). In IIS Manager btw, the
website SSL Port is set to 443.
I've tried searching (i.e. google "site:
https://www.stunnel.org/pipermail/stunnel-users/ server 2003") and have found a
few leads, but nothing that addresses my issues in a way I understand. My
ignorance I'm sure.
Server details:
- Windows Server 2003, Standard Edition, Service Pack 2
- IIS web server running 3 websites (ASP, PHP mix)
- Valid Certificates from Lets Encrypt in Certificate Store
- stunnel 5.49 (latest version I could find that works on 32bit OS's) sorry
it's not the latest :(
Working Log with Port 442:
2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2
2020.02.24 15:24:37 LOG7[main]: No limit detected for the number of clients
2020.02.24 15:24:37 LOG5[main]: stunnel 5.49 on x86-pc-msvc-1500 platform
2020.02.24 15:24:37 LOG5[main]: Compiled/running with OpenSSL 1.0.2p-fips 14
Aug 2018
2020.02.24 15:24:37 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6
TLS:ENGINE,FIPS,OCSP,PSK,SNI
2020.02.24 15:24:37 LOG7[main]: errno: (*_errno())
2020.02.24 15:24:37 LOG7[ui]: GUI message loop initialized
2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2
2020.02.24 15:24:37 LOG5[main]: Reading configuration from file stunnel.conf
2020.02.24 15:24:37 LOG5[main]: UTF-8 byte order mark detected
2020.02.24 15:24:37 LOG5[main]: FIPS mode disabled
2020.02.24 15:24:37 LOG7[main]: Compression disabled
2020.02.24 15:24:37 LOG7[main]: No PRNG seeding was required
2020.02.24 15:24:37 LOG6[main]: Initializing service [https]
2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03004004 (+0x00004000,
-0x00000000)
2020.02.24 15:24:37 LOG6[main]: Loading certificate from file: C:\Program
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Loading private key from file: C:\Program
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG7[main]: Private key check succeeded
2020.02.24 15:24:37 LOG7[main]: ECDH initialization
2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1
2020.02.24 15:24:37 LOG6[main]: Initializing service [domain]
2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03014004 (+0x00014000,
-0x00000000)
2020.02.24 15:24:37 LOG6[main]: Loading certificate from file: C:\Program
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Loading private key from file: C:\Program
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG7[main]: Private key check succeeded
2020.02.24 15:24:37 LOG7[main]: ECDH initialization
2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1
2020.02.24 15:24:37 LOG5[main]: Configuration successful
2020.02.24 15:24:37 LOG7[main]: Binding service [https]
2020.02.24 15:24:37 LOG7[main]: Listening file descriptor created (FD=292)
2020.02.24 15:24:38 LOG7[main]: Setting accept socket options (FD=292)
2020.02.24 15:24:38 LOG6[main]: Service [https] (FD=292) bound to 10.0.1.11:442
2020.02.24 15:24:38 LOG7[main]: Skipped SNI slave service [domain]
2020.02.24 15:24:38 LOG7[cron]: Cron thread initialized
2020.02.24 15:25:38 LOG6[cron]: Executing cron jobs
2020.02.24 15:25:38 LOG6[cron]: Cron jobs completed in 0 seconds
2020.02.24 15:25:38 LOG7[cron]: Waiting 86400 seconds
Log Error with port 443:
Binding service [https] to 10.0.1.11:443: Permission denied (WSAEACCES) (10013)
Conf:
; Debugging stuff (may be useful for troubleshooting)
debug = 7
;output = stunnel.log
; TLS front-end to a web server
[https]
; doesn't work with 443 below, works with 442
accept = 10.0.1.11:442
connect = 80
cert = C:\Program Files\stunnel\config\mywebsite.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0
[domain]
sni = https:mywebsite.com
sni = https:www.mywebsite.com
cert = C:\Program Files\stunnel\config\mywebsite.pem
; connect = 80
connect = localhost:80
client = no
sslVersion = TLSv1.2
--------------
Thanks,
Sean
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
