[stunnel-users] Windows Server 2003 issues with stunnel, TLS 1.2 on website(s)
Sean Kelley
skelley at surething.com
Wed Feb 26 20:52:36 CET 2020
*Issue:*
Old Windows Server cannot be upgraded, but needs TLS 1.2 encryption.
Stunnel looks like a solution, but I'm having issues configuring it to
work (It is "running" successfully with a pem file and port 442). In IIS
Manager btw, the website SSL Port is set to 443.
I've tried searching (i.e. google "site:
https://www.stunnel.org/pipermail/stunnel-users/ server 2003") and have
found a few leads, but nothing that addresses my issues in a way I
understand. My ignorance I'm sure.
*Server details:*
* Windows Server 2003, Standard Edition, Service Pack 2
* IIS web server running 3 websites (ASP, PHP mix)
* Valid Certificates from Lets Encrypt in Certificate Store
* stunnel 5.49 (latest version I could find that works on 32bit OS's)
sorry it's not the latest :(
*Working Log with Port 442:*
2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2
2020.02.24 15:24:37 LOG7[main]: No limit detected for the number of clients
2020.02.24 15:24:37 LOG5[main]: stunnel 5.49 on x86-pc-msvc-1500 platform
2020.02.24 15:24:37 LOG5[main]: Compiled/running with OpenSSL
1.0.2p-fips 14 Aug 2018
2020.02.24 15:24:37 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6
TLS:ENGINE,FIPS,OCSP,PSK,SNI
2020.02.24 15:24:37 LOG7[main]: errno: (*_errno())
2020.02.24 15:24:37 LOG7[ui]: GUI message loop initialized
2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2
2020.02.24 15:24:37 LOG5[main]: Reading configuration from file stunnel.conf
2020.02.24 15:24:37 LOG5[main]: UTF-8 byte order mark detected
2020.02.24 15:24:37 LOG5[main]: FIPS mode disabled
2020.02.24 15:24:37 LOG7[main]: Compression disabled
2020.02.24 15:24:37 LOG7[main]: No PRNG seeding was required
2020.02.24 15:24:37 LOG6[main]: Initializing service [https]
2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03004004 (+0x00004000,
-0x00000000)
2020.02.24 15:24:37 LOG6[main]: Loading certificate from file:
C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Loading private key from file:
C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG7[main]: Private key check succeeded
2020.02.24 15:24:37 LOG7[main]: ECDH initialization
2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1
2020.02.24 15:24:37 LOG6[main]: Initializing service [domain]
2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03014004 (+0x00014000,
-0x00000000)
2020.02.24 15:24:37 LOG6[main]: Loading certificate from file:
C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Loading private key from file:
C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG7[main]: Private key check succeeded
2020.02.24 15:24:37 LOG7[main]: ECDH initialization
2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1
2020.02.24 15:24:37 LOG5[main]: Configuration successful
2020.02.24 15:24:37 LOG7[main]: Binding service [https]
2020.02.24 15:24:37 LOG7[main]: Listening file descriptor created (FD=292)
2020.02.24 15:24:38 LOG7[main]: Setting accept socket options (FD=292)
2020.02.24 15:24:38 LOG6[main]: Service [https] (FD=292) bound to
10.0.1.11:442
2020.02.24 15:24:38 LOG7[main]: Skipped SNI slave service [domain]
2020.02.24 15:24:38 LOG7[cron]: Cron thread initialized
2020.02.24 15:25:38 LOG6[cron]: Executing cron jobs
2020.02.24 15:25:38 LOG6[cron]: Cron jobs completed in 0 seconds
2020.02.24 15:25:38 LOG7[cron]: Waiting 86400 seconds
*Log Error with port 443:*
Binding service [https] to 10.0.1.11:443: Permission denied (WSAEACCES)
(10013)*
*
*Conf:*
; Debugging stuff (may be useful for troubleshooting)
debug = 7
;output = stunnel.log
; TLS front-end to a web server
[https]
; doesn't work with 443 below, works with 442
accept = 10.0.1.11:442
connect = 80
cert = C:\Program Files\stunnel\config\mywebsite.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0
[domain]
sni = https:mywebsite.com
sni = https:www.mywebsite.com
cert = C:\Program Files\stunnel\config\mywebsite.pem
; connect = 80
connect = localhost:80
client = no
sslVersion = TLSv1.2
--------------
Thanks,
Sean
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200226/6403124f/attachment.htm>
More information about the stunnel-users
mailing list