Sean, You are doing it mostly right. You just need to disable https on your IIS. That is, remove site bindings on port 443. Google for this if you don't know how to do it.
After you release port 443, configure stunnel to bind to port 443 and restart it. Also, you should configure IIS to bind only on the loopback interface to prevent clear text connections on port 80 from external clients. Your [https] section in stunnel.conf should look like this: ; TLS front-end to a web server [https] accept = 10.0.1.11:443 connect = 127.0.0.1:80 cert = C:\Program Files\stunnel\config\mywebsite.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks TIMEOUTclose = 0
You should remove your [domain] section. You may need to add SNI entries to your [https] section. Regards, Jose On Wednesday, February 26, 2020, 02:53:08 PM GMT-5, Sean Kelley skelley@surething.com wrote:
Issue:
Old Windows Server cannot be upgraded, but needs TLS 1.2 encryption. Stunnel looks like a solution, but I'm having issues configuring it to work (It is "running" successfully with a pem file and port 442). In IIS Manager btw, the website SSL Port is set to 443.
I've tried searching (i.e. google "site: https://www.stunnel.org/pipermail/stunnel-users/ server 2003") and have found a few leads, but nothing that addresses my issues in a way I understand. My ignorance I'm sure.
Server details:
- Windows Server 2003, Standard Edition, Service Pack 2 - IIS web server running 3 websites (ASP, PHP mix)
- Valid Certificates from Lets Encrypt in Certificate Store - stunnel 5.49 (latest version I could find that works on 32bit OS's) sorry it's not the latest :(
Working Log with Port 442:
2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2 2020.02.24 15:24:37 LOG7[main]: No limit detected for the number of clients 2020.02.24 15:24:37 LOG5[main]: stunnel 5.49 on x86-pc-msvc-1500 platform 2020.02.24 15:24:37 LOG5[main]: Compiled/running with OpenSSL 1.0.2p-fips 14 Aug 2018 2020.02.24 15:24:37 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2020.02.24 15:24:37 LOG7[main]: errno: (*_errno()) 2020.02.24 15:24:37 LOG7[ui]: GUI message loop initialized 2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2 2020.02.24 15:24:37 LOG5[main]: Reading configuration from file stunnel.conf 2020.02.24 15:24:37 LOG5[main]: UTF-8 byte order mark detected 2020.02.24 15:24:37 LOG5[main]: FIPS mode disabled 2020.02.24 15:24:37 LOG7[main]: Compression disabled 2020.02.24 15:24:37 LOG7[main]: No PRNG seeding was required 2020.02.24 15:24:37 LOG6[main]: Initializing service [https] 2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03004004 (+0x00004000, -0x00000000) 2020.02.24 15:24:37 LOG6[main]: Loading certificate from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Loading private key from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG7[main]: Private key check succeeded 2020.02.24 15:24:37 LOG7[main]: ECDH initialization 2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1 2020.02.24 15:24:37 LOG6[main]: Initializing service [domain] 2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03014004 (+0x00014000, -0x00000000) 2020.02.24 15:24:37 LOG6[main]: Loading certificate from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Loading private key from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG7[main]: Private key check succeeded 2020.02.24 15:24:37 LOG7[main]: ECDH initialization 2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1 2020.02.24 15:24:37 LOG5[main]: Configuration successful 2020.02.24 15:24:37 LOG7[main]: Binding service [https] 2020.02.24 15:24:37 LOG7[main]: Listening file descriptor created (FD=292) 2020.02.24 15:24:38 LOG7[main]: Setting accept socket options (FD=292) 2020.02.24 15:24:38 LOG6[main]: Service [https] (FD=292) bound to 10.0.1.11:442 2020.02.24 15:24:38 LOG7[main]: Skipped SNI slave service [domain] 2020.02.24 15:24:38 LOG7[cron]: Cron thread initialized 2020.02.24 15:25:38 LOG6[cron]: Executing cron jobs 2020.02.24 15:25:38 LOG6[cron]: Cron jobs completed in 0 seconds 2020.02.24 15:25:38 LOG7[cron]: Waiting 86400 seconds
Log Error with port 443:
Binding service [https] to 10.0.1.11:443: Permission denied (WSAEACCES) (10013)
Conf:
; Debugging stuff (may be useful for troubleshooting) debug = 7 ;output = stunnel.log
; TLS front-end to a web server [https] ; doesn't work with 443 below, works with 442 accept = 10.0.1.11:442 connect = 80 cert = C:\Program Files\stunnel\config\mywebsite.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks TIMEOUTclose = 0
[domain] sni = https:mywebsite.com sni = https:www.mywebsite.com cert = C:\Program Files\stunnel\config\mywebsite.pem ; connect = 80 connect = localhost:80 client = no
sslVersion = TLSv1.2
--------------
Thanks,
Sean
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users