*Issue:*
Old Windows Server cannot be upgraded, but needs TLS 1.2 encryption. Stunnel looks like a solution, but I'm having issues configuring it to work (It is "running" successfully with a pem file and port 442). In IIS Manager btw, the website SSL Port is set to 443.
I've tried searching (i.e. google "site: https://www.stunnel.org/pipermail/stunnel-users/ server 2003") and have found a few leads, but nothing that addresses my issues in a way I understand. My ignorance I'm sure.
*Server details:*
* Windows Server 2003, Standard Edition, Service Pack 2 * IIS web server running 3 websites (ASP, PHP mix) * Valid Certificates from Lets Encrypt in Certificate Store * stunnel 5.49 (latest version I could find that works on 32bit OS's) sorry it's not the latest :(
*Working Log with Port 442:*
2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2 2020.02.24 15:24:37 LOG7[main]: No limit detected for the number of clients 2020.02.24 15:24:37 LOG5[main]: stunnel 5.49 on x86-pc-msvc-1500 platform 2020.02.24 15:24:37 LOG5[main]: Compiled/running with OpenSSL 1.0.2p-fips 14 Aug 2018 2020.02.24 15:24:37 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2020.02.24 15:24:37 LOG7[main]: errno: (*_errno()) 2020.02.24 15:24:37 LOG7[ui]: GUI message loop initialized 2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2 2020.02.24 15:24:37 LOG5[main]: Reading configuration from file stunnel.conf 2020.02.24 15:24:37 LOG5[main]: UTF-8 byte order mark detected 2020.02.24 15:24:37 LOG5[main]: FIPS mode disabled 2020.02.24 15:24:37 LOG7[main]: Compression disabled 2020.02.24 15:24:37 LOG7[main]: No PRNG seeding was required 2020.02.24 15:24:37 LOG6[main]: Initializing service [https] 2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03004004 (+0x00004000, -0x00000000) 2020.02.24 15:24:37 LOG6[main]: Loading certificate from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Loading private key from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG7[main]: Private key check succeeded 2020.02.24 15:24:37 LOG7[main]: ECDH initialization 2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1 2020.02.24 15:24:37 LOG6[main]: Initializing service [domain] 2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03014004 (+0x00014000, -0x00000000) 2020.02.24 15:24:37 LOG6[main]: Loading certificate from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Loading private key from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG7[main]: Private key check succeeded 2020.02.24 15:24:37 LOG7[main]: ECDH initialization 2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1 2020.02.24 15:24:37 LOG5[main]: Configuration successful 2020.02.24 15:24:37 LOG7[main]: Binding service [https] 2020.02.24 15:24:37 LOG7[main]: Listening file descriptor created (FD=292) 2020.02.24 15:24:38 LOG7[main]: Setting accept socket options (FD=292) 2020.02.24 15:24:38 LOG6[main]: Service [https] (FD=292) bound to 10.0.1.11:442 2020.02.24 15:24:38 LOG7[main]: Skipped SNI slave service [domain] 2020.02.24 15:24:38 LOG7[cron]: Cron thread initialized 2020.02.24 15:25:38 LOG6[cron]: Executing cron jobs 2020.02.24 15:25:38 LOG6[cron]: Cron jobs completed in 0 seconds 2020.02.24 15:25:38 LOG7[cron]: Waiting 86400 seconds
*Log Error with port 443:*
Binding service [https] to 10.0.1.11:443: Permission denied (WSAEACCES) (10013)* *
*Conf:*
; Debugging stuff (may be useful for troubleshooting) debug = 7 ;output = stunnel.log
; TLS front-end to a web server [https] ; doesn't work with 443 below, works with 442 accept = 10.0.1.11:442 connect = 80 cert = C:\Program Files\stunnel\config\mywebsite.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks TIMEOUTclose = 0
[domain] sni = https:mywebsite.com sni = https:www.mywebsite.com cert = C:\Program Files\stunnel\config\mywebsite.pem ; connect = 80 connect = localhost:80 client = no
sslVersion = TLSv1.2
--------------
Thanks,
Sean
Hi,
You just need to forget about IIS secure port as it won't be used anymore and it will be managed by Stunnel and redirect to port 80.
Or you can go the other way around; setup a second IP to the network device and NAT to it (I'm guessing is what you are doing through a router) instead the IP that IIS serves on and re-route it from Stunnel to the other IP at port 80.
Both scenarios are valid. The second slightly going in circles...
Told the other way, or...
Public IP:443 > Stunnel listen on (10.0.1.11)443 and redirect traffic to ISS(10.0.1.11):80 or Public IP:443 > Stunnel keep listening on (ie: 10.0.1.110)442 (NAPTed) and redirecto to ISS(10.0.1.11):80
Note that I'm just giving options. The idea you should get is that IIS will stop to manage the secure connection, so 443 listening is not needed anymore, and will be managed by Stunnel. IIS will only act as a plain text server (80).
Unless IIS needs to manage, or setup, a secure setting for some reason, as I don't know how it works (should be as any other HTTP server) that is what you should do.
Regards.
On Thu, 27 Feb 2020 00:12:28 +0100 Javier jamilist.stn@gmx.es wrote:
Public IP:443 > Stunnel keep listening on (ie: 10.0.1.110)442 (NAPTed) and redirecto to ISS(10.0.1.11):80
Oops, a little typo.
Where it says (ie: 10.0.1.110)442 should say (ie: 10.0.1.110)443.
In that second example, it is if you really want Stunnel to listen on por 443, but using a second IP.
If you are natting, actually, you can use whatever port you want. The 443 is just the public port. Locally you can have 43569, for example, as the real server.
Regards.
Sean, You are doing it mostly right. You just need to disable https on your IIS. That is, remove site bindings on port 443. Google for this if you don't know how to do it.
After you release port 443, configure stunnel to bind to port 443 and restart it. Also, you should configure IIS to bind only on the loopback interface to prevent clear text connections on port 80 from external clients. Your [https] section in stunnel.conf should look like this: ; TLS front-end to a web server [https] accept = 10.0.1.11:443 connect = 127.0.0.1:80 cert = C:\Program Files\stunnel\config\mywebsite.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks TIMEOUTclose = 0
You should remove your [domain] section. You may need to add SNI entries to your [https] section. Regards, Jose On Wednesday, February 26, 2020, 02:53:08 PM GMT-5, Sean Kelley skelley@surething.com wrote:
Issue:
Old Windows Server cannot be upgraded, but needs TLS 1.2 encryption. Stunnel looks like a solution, but I'm having issues configuring it to work (It is "running" successfully with a pem file and port 442). In IIS Manager btw, the website SSL Port is set to 443.
I've tried searching (i.e. google "site: https://www.stunnel.org/pipermail/stunnel-users/ server 2003") and have found a few leads, but nothing that addresses my issues in a way I understand. My ignorance I'm sure.
Server details:
- Windows Server 2003, Standard Edition, Service Pack 2 - IIS web server running 3 websites (ASP, PHP mix)
- Valid Certificates from Lets Encrypt in Certificate Store - stunnel 5.49 (latest version I could find that works on 32bit OS's) sorry it's not the latest :(
Working Log with Port 442:
2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2 2020.02.24 15:24:37 LOG7[main]: No limit detected for the number of clients 2020.02.24 15:24:37 LOG5[main]: stunnel 5.49 on x86-pc-msvc-1500 platform 2020.02.24 15:24:37 LOG5[main]: Compiled/running with OpenSSL 1.0.2p-fips 14 Aug 2018 2020.02.24 15:24:37 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2020.02.24 15:24:37 LOG7[main]: errno: (*_errno()) 2020.02.24 15:24:37 LOG7[ui]: GUI message loop initialized 2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2 2020.02.24 15:24:37 LOG5[main]: Reading configuration from file stunnel.conf 2020.02.24 15:24:37 LOG5[main]: UTF-8 byte order mark detected 2020.02.24 15:24:37 LOG5[main]: FIPS mode disabled 2020.02.24 15:24:37 LOG7[main]: Compression disabled 2020.02.24 15:24:37 LOG7[main]: No PRNG seeding was required 2020.02.24 15:24:37 LOG6[main]: Initializing service [https] 2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03004004 (+0x00004000, -0x00000000) 2020.02.24 15:24:37 LOG6[main]: Loading certificate from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Loading private key from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG7[main]: Private key check succeeded 2020.02.24 15:24:37 LOG7[main]: ECDH initialization 2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1 2020.02.24 15:24:37 LOG6[main]: Initializing service [domain] 2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03014004 (+0x00014000, -0x00000000) 2020.02.24 15:24:37 LOG6[main]: Loading certificate from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Loading private key from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program Files\stunnel\config\mywebsite.pem 2020.02.24 15:24:37 LOG7[main]: Private key check succeeded 2020.02.24 15:24:37 LOG7[main]: ECDH initialization 2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1 2020.02.24 15:24:37 LOG5[main]: Configuration successful 2020.02.24 15:24:37 LOG7[main]: Binding service [https] 2020.02.24 15:24:37 LOG7[main]: Listening file descriptor created (FD=292) 2020.02.24 15:24:38 LOG7[main]: Setting accept socket options (FD=292) 2020.02.24 15:24:38 LOG6[main]: Service [https] (FD=292) bound to 10.0.1.11:442 2020.02.24 15:24:38 LOG7[main]: Skipped SNI slave service [domain] 2020.02.24 15:24:38 LOG7[cron]: Cron thread initialized 2020.02.24 15:25:38 LOG6[cron]: Executing cron jobs 2020.02.24 15:25:38 LOG6[cron]: Cron jobs completed in 0 seconds 2020.02.24 15:25:38 LOG7[cron]: Waiting 86400 seconds
Log Error with port 443:
Binding service [https] to 10.0.1.11:443: Permission denied (WSAEACCES) (10013)
Conf:
; Debugging stuff (may be useful for troubleshooting) debug = 7 ;output = stunnel.log
; TLS front-end to a web server [https] ; doesn't work with 443 below, works with 442 accept = 10.0.1.11:442 connect = 80 cert = C:\Program Files\stunnel\config\mywebsite.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks TIMEOUTclose = 0
[domain] sni = https:mywebsite.com sni = https:www.mywebsite.com cert = C:\Program Files\stunnel\config\mywebsite.pem ; connect = 80 connect = localhost:80 client = no
sslVersion = TLSv1.2
--------------
Thanks,
Sean
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Javier -
Jose Alf. -
Sean Kelley