Sean,

You are doing it mostly right. You just need to disable https on your IIS. That is, remove site bindings on port 443. Google for this if you don't know how to do it.


After you release port 443, configure stunnel to bind to port 443 and restart it. 

Also, you should configure IIS to bind only on the loopback interface to prevent clear text connections on port 80 from external clients. Your [https] section in stunnel.conf should look like this:

; TLS front-end to a web server
[https]
accept  = 10.0.1.11:443
connect = 127.0.0.1:80
cert = C:\Program Files\stunnel\config\mywebsite.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0

You should remove your [domain] section. You may need to add SNI entries to your [https] section.

Regards,

Jose

On Wednesday, February 26, 2020, 02:53:08 PM GMT-5, Sean Kelley <skelley@surething.com> wrote:


Issue:

Old Windows Server cannot be upgraded, but needs TLS 1.2 encryption. Stunnel looks like a solution, but I'm having issues configuring it to work (It is "running" successfully with a pem file and port 442). In IIS Manager btw, the website SSL Port is set to 443.

I've tried searching (i.e. google "site: https://www.stunnel.org/pipermail/stunnel-users/ server 2003") and have found a few leads, but nothing that addresses my issues in a way I understand. My ignorance I'm sure.

Server details:

  • Windows Server 2003, Standard Edition, Service Pack 2
  • IIS web server running 3 websites (ASP, PHP mix)
  • Valid Certificates from Lets Encrypt in Certificate Store
  • stunnel 5.49 (latest version I could find that works on 32bit OS's) sorry it's not the latest :(

Working Log with Port 442:

2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2
2020.02.24 15:24:37 LOG7[main]: No limit detected for the number of clients
2020.02.24 15:24:37 LOG5[main]: stunnel 5.49 on x86-pc-msvc-1500 platform
2020.02.24 15:24:37 LOG5[main]: Compiled/running with OpenSSL 1.0.2p-fips  14 Aug 2018
2020.02.24 15:24:37 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2020.02.24 15:24:37 LOG7[main]: errno: (*_errno())
2020.02.24 15:24:37 LOG7[ui]: GUI message loop initialized
2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2
2020.02.24 15:24:37 LOG5[main]: Reading configuration from file stunnel.conf
2020.02.24 15:24:37 LOG5[main]: UTF-8 byte order mark detected
2020.02.24 15:24:37 LOG5[main]: FIPS mode disabled
2020.02.24 15:24:37 LOG7[main]: Compression disabled
2020.02.24 15:24:37 LOG7[main]: No PRNG seeding was required
2020.02.24 15:24:37 LOG6[main]: Initializing service [https]
2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03004004 (+0x00004000, -0x00000000)
2020.02.24 15:24:37 LOG6[main]: Loading certificate from file: C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Loading private key from file: C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG7[main]: Private key check succeeded
2020.02.24 15:24:37 LOG7[main]: ECDH initialization
2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1
2020.02.24 15:24:37 LOG6[main]: Initializing service [domain]
2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03014004 (+0x00014000, -0x00000000)
2020.02.24 15:24:37 LOG6[main]: Loading certificate from file: C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Loading private key from file: C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG7[main]: Private key check succeeded
2020.02.24 15:24:37 LOG7[main]: ECDH initialization
2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1
2020.02.24 15:24:37 LOG5[main]: Configuration successful
2020.02.24 15:24:37 LOG7[main]: Binding service [https]
2020.02.24 15:24:37 LOG7[main]: Listening file descriptor created (FD=292)
2020.02.24 15:24:38 LOG7[main]: Setting accept socket options (FD=292)
2020.02.24 15:24:38 LOG6[main]: Service [https] (FD=292) bound to 10.0.1.11:442
2020.02.24 15:24:38 LOG7[main]: Skipped SNI slave service [domain]
2020.02.24 15:24:38 LOG7[cron]: Cron thread initialized
2020.02.24 15:25:38 LOG6[cron]: Executing cron jobs
2020.02.24 15:25:38 LOG6[cron]: Cron jobs completed in 0 seconds
2020.02.24 15:25:38 LOG7[cron]: Waiting 86400 seconds

Log Error with port 443:

Binding service [https] to 10.0.1.11:443: Permission denied (WSAEACCES) (10013)

Conf:

; Debugging stuff (may be useful for troubleshooting)
debug = 7
;output = stunnel.log

; TLS front-end to a web server
[https]
; doesn't work with 443 below, works with 442
accept  = 10.0.1.11:442
connect = 80
cert = C:\Program Files\stunnel\config\mywebsite.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0

[domain]
sni = https:mywebsite.com
sni = https:www.mywebsite.com
cert = C:\Program Files\stunnel\config\mywebsite.pem
; connect = 80
connect = localhost:80
client = no

sslVersion = TLSv1.2

--------------

Thanks,

Sean

_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users