[stunnel-users] Windows Server 2003 issues with stunnel, TLS 1.2 on website(s)

Sean Kelley skelley at surething.com
Wed Feb 26 20:52:36 CET 2020 

*Issue:*

Old Windows Server cannot be upgraded, but needs TLS 1.2 encryption. 
Stunnel looks like a solution, but I'm having issues configuring it to 
work (It is "running" successfully with a pem file and port 442). In IIS 
Manager btw, the website SSL Port is set to 443.

I've tried searching (i.e. google "site: 
https://www.stunnel.org/pipermail/stunnel-users/ server 2003") and have 
found a few leads, but nothing that addresses my issues in a way I 
understand. My ignorance I'm sure.

*Server details:*

  * Windows Server 2003, Standard Edition, Service Pack 2
  * IIS web server running 3 websites (ASP, PHP mix)
  * Valid Certificates from Lets Encrypt in Certificate Store
  * stunnel 5.49 (latest version I could find that works on 32bit OS's)
    sorry it's not the latest :(

*Working Log with Port 442:*

2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2
2020.02.24 15:24:37 LOG7[main]: No limit detected for the number of clients
2020.02.24 15:24:37 LOG5[main]: stunnel 5.49 on x86-pc-msvc-1500 platform
2020.02.24 15:24:37 LOG5[main]: Compiled/running with OpenSSL 
1.0.2p-fips  14 Aug 2018
2020.02.24 15:24:37 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 
TLS:ENGINE,FIPS,OCSP,PSK,SNI
2020.02.24 15:24:37 LOG7[main]: errno: (*_errno())
2020.02.24 15:24:37 LOG7[ui]: GUI message loop initialized
2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2
2020.02.24 15:24:37 LOG5[main]: Reading configuration from file stunnel.conf
2020.02.24 15:24:37 LOG5[main]: UTF-8 byte order mark detected
2020.02.24 15:24:37 LOG5[main]: FIPS mode disabled
2020.02.24 15:24:37 LOG7[main]: Compression disabled
2020.02.24 15:24:37 LOG7[main]: No PRNG seeding was required
2020.02.24 15:24:37 LOG6[main]: Initializing service [https]
2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03004004 (+0x00004000, 
-0x00000000)
2020.02.24 15:24:37 LOG6[main]: Loading certificate from file: 
C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program 
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Loading private key from file: 
C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program 
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG7[main]: Private key check succeeded
2020.02.24 15:24:37 LOG7[main]: ECDH initialization
2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1
2020.02.24 15:24:37 LOG6[main]: Initializing service [domain]
2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03014004 (+0x00014000, 
-0x00000000)
2020.02.24 15:24:37 LOG6[main]: Loading certificate from file: 
C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program 
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Loading private key from file: 
C:\Program Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program 
Files\stunnel\config\mywebsite.pem
2020.02.24 15:24:37 LOG7[main]: Private key check succeeded
2020.02.24 15:24:37 LOG7[main]: ECDH initialization
2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1
2020.02.24 15:24:37 LOG5[main]: Configuration successful
2020.02.24 15:24:37 LOG7[main]: Binding service [https]
2020.02.24 15:24:37 LOG7[main]: Listening file descriptor created (FD=292)
2020.02.24 15:24:38 LOG7[main]: Setting accept socket options (FD=292)
2020.02.24 15:24:38 LOG6[main]: Service [https] (FD=292) bound to 
10.0.1.11:442
2020.02.24 15:24:38 LOG7[main]: Skipped SNI slave service [domain]
2020.02.24 15:24:38 LOG7[cron]: Cron thread initialized
2020.02.24 15:25:38 LOG6[cron]: Executing cron jobs
2020.02.24 15:25:38 LOG6[cron]: Cron jobs completed in 0 seconds
2020.02.24 15:25:38 LOG7[cron]: Waiting 86400 seconds

*Log Error with port 443:*

Binding service [https] to 10.0.1.11:443: Permission denied (WSAEACCES) 
(10013)*
*

*Conf:*

; Debugging stuff (may be useful for troubleshooting)
debug = 7
;output = stunnel.log

; TLS front-end to a web server
[https]
; doesn't work with 443 below, works with 442
accept  = 10.0.1.11:442
connect = 80
cert = C:\Program Files\stunnel\config\mywebsite.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0

[domain]
sni = https:mywebsite.com
sni = https:www.mywebsite.com
cert = C:\Program Files\stunnel\config\mywebsite.pem
; connect = 80
connect = localhost:80
client = no

sslVersion = TLSv1.2

--------------

Thanks,

Sean

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200226/6403124f/attachment.htm>

More information about the stunnel-users mailing list