<html><head></head><body><div class="ydp80e16cacyahoo-style-wrap" style="font-family: Helvetica Neue, Helvetica, Arial, sans-serif; font-size: 13px;"><div></div>
<div dir="ltr" data-setdir="false">Sean,</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">You are doing it mostly right. You just need to disable https on your IIS. That is, remove site bindings on port 443. Google for this if you don't know how to do it.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">After you release port 443, configure stunnel to bind to port 443 and restart it. </div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Also, you should configure IIS to bind only on the loopback interface to prevent clear text connections on port 80 from external clients. Your [https] section in stunnel.conf should look like this:</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><div><tt style="color: rgb(38, 40, 42);">; TLS front-end to a web server</tt><tt style="color: rgb(38, 40, 42);"><br></tt><tt style="color: rgb(38, 40, 42);">[https]</tt><tt style="color: rgb(38, 40, 42);"><br></tt><tt style="color: rgb(38, 40, 42);">accept = 10.0.1.11:443</tt><tt style="color: rgb(38, 40, 42);"><br></tt><tt style="color: rgb(38, 40, 42);">connect = 127.0.0.1:80</tt><tt style="color: rgb(38, 40, 42);"><br></tt><tt style="color: rgb(38, 40, 42);">cert = C:\Program Files\stunnel\config\mywebsite.pem</tt><tt style="color: rgb(38, 40, 42);"><br></tt><tt style="color: rgb(38, 40, 42);">; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel</tt><tt style="color: rgb(38, 40, 42);"><br></tt><tt style="color: rgb(38, 40, 42);">; Microsoft implementations do not use TLS close-notify alert and thus they</tt><tt style="color: rgb(38, 40, 42);"><br></tt><tt style="color: rgb(38, 40, 42);">; are vulnerable to truncation attacks</tt><tt style="color: rgb(38, 40, 42);"><br></tt><tt style="color: rgb(38, 40, 42);">TIMEOUTclose = 0</tt><tt style="color: rgb(38, 40, 42);"><br></tt></div><br></div><div dir="ltr" data-setdir="false">You should remove your [domain] section. You may need to add SNI entries to your [https] section.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Regards,</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Jose</div><div><br></div>
</div><div id="ydp1ec43064yahoo_quoted_3391833085" class="ydp1ec43064yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Wednesday, February 26, 2020, 02:53:08 PM GMT-5, Sean Kelley <skelley@surething.com> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div id="ydp1ec43064yiv8962107974">
<div>
<p><b>Issue:</b></p>
<p>Old Windows Server cannot be upgraded, but needs TLS 1.2
encryption. Stunnel looks like a solution, but I'm having issues
configuring it to work (It is "running" successfully with a pem
file and port 442). In IIS Manager btw, the website SSL Port is
set to 443. <br>
</p>
<p>I've tried searching (i.e. google "site: <a class="ydp1ec43064yiv8962107974moz-txt-link-freetext" href="https://www.stunnel.org/pipermail/stunnel-users/" rel="nofollow" target="_blank">https://www.stunnel.org/pipermail/stunnel-users/</a>
server 2003") and have found a few leads, but nothing that
addresses my issues in a way I understand. My ignorance I'm sure.<br>
</p>
<p><b>Server details:</b></p>
<ul>
<li>Windows Server 2003, Standard Edition, Service Pack 2</li>
<li>IIS web server running 3 websites (ASP, PHP mix)<br>
</li>
<li>Valid Certificates from Lets Encrypt in Certificate Store</li>
<li>stunnel 5.49 (latest version I could find that works on 32bit
OS's) sorry it's not the latest :(<br>
</li>
</ul>
<p><b>Working Log with Port 442:</b></p>
<p><tt>2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: No limit detected for the
number of clients</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG5[main]: stunnel 5.49 on
x86-pc-msvc-1500 platform</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG5[main]: Compiled/running with
OpenSSL 1.0.2p-fips 14 Aug 2018</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG5[main]: Threading:WIN32
Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: errno: (*_errno())</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[ui]: GUI message loop
initialized</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG5[main]: Reading configuration
from file stunnel.conf</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG5[main]: UTF-8 byte order mark
detected</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG5[main]: FIPS mode disabled</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Compression disabled</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: No PRNG seeding was
required</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Initializing service
[https]</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Ciphers:
HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03004004
(+0x00004000, -0x00000000)</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Loading certificate from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Certificate loaded from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Loading private key from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Private key loaded from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Private key check
succeeded</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: ECDH initialization</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: ECDH initialized with
curve prime256v1</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Initializing service
[domain]</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Ciphers:
HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03014004
(+0x00014000, -0x00000000)</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Loading certificate from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Certificate loaded from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Loading private key from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG6[main]: Private key loaded from
file: C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Private key check
succeeded</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: ECDH initialization</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: ECDH initialized with
curve prime256v1</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG5[main]: Configuration successful</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Binding service [https]</tt><tt><br>
</tt><tt>2020.02.24 15:24:37 LOG7[main]: Listening file descriptor
created (FD=292)</tt><tt><br>
</tt><tt>2020.02.24 15:24:38 LOG7[main]: Setting accept socket
options (FD=292)</tt><tt><br>
</tt><tt>2020.02.24 15:24:38 LOG6[main]: Service [https] (FD=292)
bound to 10.0.1.11:442</tt><tt><br>
</tt><tt>2020.02.24 15:24:38 LOG7[main]: Skipped SNI slave service
[domain]</tt><tt><br>
</tt><tt>2020.02.24 15:24:38 LOG7[cron]: Cron thread initialized</tt><tt><br>
</tt><tt>2020.02.24 15:25:38 LOG6[cron]: Executing cron jobs</tt><tt><br>
</tt><tt>2020.02.24 15:25:38 LOG6[cron]: Cron jobs completed in 0
seconds</tt><tt><br>
</tt><tt>2020.02.24 15:25:38 LOG7[cron]: Waiting 86400 seconds</tt><br>
</p>
<p><b>Log Error with port 443:</b></p>
<p><tt>Binding service [https] to 10.0.1.11:443: Permission denied
(WSAEACCES) (10013)</tt><b><br>
</b></p>
<p><b>Conf:</b><br>
</p>
<tt>; Debugging stuff (may be useful for troubleshooting)</tt><tt><br>
</tt><tt>debug = 7</tt><tt><br>
</tt><tt>;output = stunnel.log</tt><tt><br>
</tt><tt><br>
</tt><tt>; TLS front-end to a web server</tt><tt><br>
</tt><tt>[https]</tt><tt><br>
</tt><tt>; doesn't work with 443 below, works with 442</tt><tt><br>
</tt><tt>accept = 10.0.1.11:442</tt><tt><br>
</tt><tt>connect = 80</tt><tt><br>
</tt><tt>cert = C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>; "TIMEOUTclose = 0" is a workaround for a design flaw in
Microsoft SChannel</tt><tt><br>
</tt><tt>; Microsoft implementations do not use TLS close-notify
alert and thus they</tt><tt><br>
</tt><tt>; are vulnerable to truncation attacks</tt><tt><br>
</tt><tt>TIMEOUTclose = 0</tt><tt><br>
</tt><tt><br>
</tt><tt>[domain]</tt><tt><br>
</tt><tt>sni = <a class="ydp1ec43064yiv8962107974moz-txt-link-freetext">https:mywebsite.com</a></tt><tt><br>
</tt><tt>sni = <a class="ydp1ec43064yiv8962107974moz-txt-link-freetext">https:www.mywebsite.com</a></tt><tt><br>
</tt><tt>cert = C:\Program Files\stunnel\config\mywebsite.pem</tt><tt><br>
</tt><tt>; connect = 80</tt><tt><br>
</tt><tt>connect = localhost:80</tt><tt><br>
</tt><tt>client = no</tt><tt><br>
</tt>
<p><tt> </tt><tt>sslVersion = TLSv1.2</tt></p>
<p><tt>--------------<br>
</tt></p>
<p><tt>Thanks,</tt></p>
<p><tt>Sean<br>
</tt></p>
</div>
</div>_______________________________________________<br>stunnel-users mailing list<br><a href="mailto:stunnel-users@stunnel.org" rel="nofollow" target="_blank">stunnel-users@stunnel.org</a><br><a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" rel="nofollow" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br></div>
</div>
</div></body></html>