<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p><b>Issue:</b></p>
<p>Old Windows Server cannot be upgraded, but needs TLS 1.2
encryption. Stunnel looks like a solution, but I'm having issues
configuring it to work (It is "running" successfully with a pem
file and port 442). In IIS Manager btw, the website SSL Port is
set to 443. <br>
</p>
<p>I've tried searching (i.e. google "site: <a
class="moz-txt-link-freetext"
href="https://www.stunnel.org/pipermail/stunnel-users/">https://www.stunnel.org/pipermail/stunnel-users/</a>
server 2003") and have found a few leads, but nothing that
addresses my issues in a way I understand. My ignorance I'm sure.<br>
</p>
<p><b>Server details:</b></p>
<ul>
<li>Windows Server 2003, Standard Edition, Service Pack 2</li>
<li>IIS web server running 3 websites (ASP, PHP mix)<br>
</li>
<li>Valid Certificates from Lets Encrypt in Certificate Store</li>
<li>stunnel 5.49 (latest version I could find that works on 32bit
OS's) sorry it's not the latest :(<br>
</li>
</ul>
<p><b>Working Log with Port 442:</b></p>
<p><tt>2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: No limit detected for the
number of clients</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG5[main]: stunnel 5.49 on
x86-pc-msvc-1500 platform</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG5[main]: Compiled/running with
OpenSSL 1.0.2p-fips 14 Aug 2018</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG5[main]: Threading:WIN32
Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: errno: (*_errno())</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[ui]: GUI message loop
initialized</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG5[main]: Reading configuration
from file stunnel.conf</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG5[main]: UTF-8 byte order mark
detected</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG5[main]: FIPS mode disabled</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Compression disabled</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: No PRNG seeding was
required</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Initializing service
[https]</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Ciphers:
HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03004004
(+0x00004000, -0x00000000)</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Loading certificate from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Certificate loaded from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Loading private key from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Private key loaded from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Private key check
succeeded</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: ECDH initialization</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: ECDH initialized with
curve prime256v1</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Initializing service
[domain]</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Ciphers:
HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03014004
(+0x00014000, -0x00000000)</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Loading certificate from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Certificate loaded from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Loading private key from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Private key loaded from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Private key check
succeeded</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: ECDH initialization</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: ECDH initialized with
curve prime256v1</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG5[main]: Configuration successful</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Binding service [https]</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Listening file descriptor
created (FD=292)</tt><tt><br>
</tt><tt>2020.02.24 15:24:38 LOG7[main]: Setting accept socket
options (FD=292)</tt><tt><br>
</tt><tt>2020.02.24 15:24:38 LOG6[main]: Service [https] (FD=292)
bound to 10.0.1.11:442</tt><tt><br>
</tt><tt>2020.02.24 15:24:38 LOG7[main]: Skipped SNI slave service
[domain]</tt><tt><br>
</tt><tt>2020.02.24 15:24:38 LOG7[cron]: Cron thread initialized</tt><tt><br>
</tt><tt>2020.02.24 15:25:38 LOG6[cron]: Executing cron jobs</tt><tt><br>
</tt><tt>2020.02.24 15:25:38 LOG6[cron]: Cron jobs completed in 0
seconds</tt><tt><br>
</tt><tt>2020.02.24 15:25:38 LOG7[cron]: Waiting 86400 seconds</tt><br>
</p>
<p><b>Log Error with port 443:</b></p>
<p><tt>Binding service [https] to 10.0.1.11:443: Permission denied
(WSAEACCES) (10013)</tt><b><br>
</b></p>
<p><b>Conf:</b><br>
</p>
<tt>; Debugging stuff (may be useful for troubleshooting)</tt><tt><br>
</tt><tt>debug = 7</tt><tt><br>
</tt><tt>;output = stunnel.log</tt><tt><br>
</tt><tt><br>
</tt><tt>; TLS front-end to a web server</tt><tt><br>
</tt><tt>[https]</tt><tt><br>
</tt><tt>; doesn't work with 443 below, works with 442</tt><tt><br>
</tt><tt>accept = 10.0.1.11:442</tt><tt><br>
</tt><tt>connect = 80</tt><tt><br>
</tt><tt>cert = C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>; "TIMEOUTclose = 0" is a workaround for a design flaw in
Microsoft SChannel</tt><tt><br>
</tt><tt>; Microsoft implementations do not use TLS close-notify
alert and thus they</tt><tt><br>
</tt><tt>; are vulnerable to truncation attacks</tt><tt><br>
</tt><tt>TIMEOUTclose = 0</tt><tt><br>
</tt><tt><br>
</tt><tt>[domain]</tt><tt><br>
</tt><tt>sni = <a class="moz-txt-link-freetext"
href="https:mywebsite.com">https:mywebsite.com</a></tt><tt><br>
</tt><tt>sni = <a class="moz-txt-link-freetext"
href="https:www.mywebsite.com">https:www.mywebsite.com</a></tt><tt><br>
</tt><tt>cert = C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>; connect = 80</tt><tt><br>
</tt><tt>connect = localhost:80</tt><tt><br>
</tt><tt>client = no</tt><tt><br>
</tt>
<p><tt> </tt><tt>sslVersion = TLSv1.2</tt></p>
<p><tt>--------------<br>
</tt></p>
<p><tt>Thanks,</tt></p>
<p><tt>Sean<br>
</tt></p>
</body>
</html>