[stunnel-users] Windows Server 2003 issues with stunnel, TLS 1.2 on website(s)

Jose Alf. josealf at rocketmail.com
Thu Feb 27 01:44:51 CET 2020 

 Sean,
You are doing it mostly right. You just need to disable https on your IIS. That is, remove site bindings on port 443. Google for this if you don't know how to do it.

After you release port 443, configure stunnel to bind to port 443 and restart it. 
Also, you should configure IIS to bind only on the loopback interface to prevent clear text connections on port 80 from external clients. Your [https] section in stunnel.conf should look like this:
; TLS front-end to a web server
[https]
accept  = 10.0.1.11:443
connect = 127.0.0.1:80
cert = C:\Program Files\stunnel\config\mywebsite.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0

You should remove your [domain] section. You may need to add SNI entries to your [https] section.
Regards,
Jose
    On Wednesday, February 26, 2020, 02:53:08 PM GMT-5, Sean Kelley <skelley at surething.com> wrote:  
 
   
Issue:
 
Old Windows Server cannot be upgraded, but needs TLS 1.2 encryption. Stunnel looks like a solution, but I'm having issues configuring it to work (It is "running" successfully with a pem file and port 442). In IIS Manager btw, the website SSL Port is set to 443. 
 
 
I've tried searching (i.e. google "site: https://www.stunnel.org/pipermail/stunnel-users/ server 2003") and have found a few leads, but nothing that addresses my issues in a way I understand. My ignorance I'm sure.
 
 
Server details:
    
   - Windows Server 2003, Standard Edition, Service Pack 2
   - IIS web server running 3 websites (ASP, PHP mix)   
 
   - Valid Certificates from Lets Encrypt in Certificate Store
   - stunnel 5.49 (latest version I could find that works on 32bit OS's) sorry it's not the latest :(   
 
 
Working Log with Port 442:
 
2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2
 2020.02.24 15:24:37 LOG7[main]: No limit detected for the number of clients
 2020.02.24 15:24:37 LOG5[main]: stunnel 5.49 on x86-pc-msvc-1500 platform
 2020.02.24 15:24:37 LOG5[main]: Compiled/running with OpenSSL 1.0.2p-fips  14 Aug 2018
 2020.02.24 15:24:37 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
 2020.02.24 15:24:37 LOG7[main]: errno: (*_errno())
 2020.02.24 15:24:37 LOG7[ui]: GUI message loop initialized
 2020.02.24 15:24:37 LOG7[main]: Running on Windows 5.2
 2020.02.24 15:24:37 LOG5[main]: Reading configuration from file stunnel.conf
 2020.02.24 15:24:37 LOG5[main]: UTF-8 byte order mark detected
 2020.02.24 15:24:37 LOG5[main]: FIPS mode disabled
 2020.02.24 15:24:37 LOG7[main]: Compression disabled
 2020.02.24 15:24:37 LOG7[main]: No PRNG seeding was required
 2020.02.24 15:24:37 LOG6[main]: Initializing service [https]
 2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
 2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03004004 (+0x00004000, -0x00000000)
 2020.02.24 15:24:37 LOG6[main]: Loading certificate from file: C:\Program Files\stunnel\config\mywebsite.pem
 2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program Files\stunnel\config\mywebsite.pem
 2020.02.24 15:24:37 LOG6[main]: Loading private key from file: C:\Program Files\stunnel\config\mywebsite.pem
 2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program Files\stunnel\config\mywebsite.pem
 2020.02.24 15:24:37 LOG7[main]: Private key check succeeded
 2020.02.24 15:24:37 LOG7[main]: ECDH initialization
 2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1
 2020.02.24 15:24:37 LOG6[main]: Initializing service [domain]
 2020.02.24 15:24:37 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
 2020.02.24 15:24:37 LOG7[main]: TLS options: 0x03014004 (+0x00014000, -0x00000000)
 2020.02.24 15:24:37 LOG6[main]: Loading certificate from file: C:\Program Files\stunnel\config\mywebsite.pem
 2020.02.24 15:24:37 LOG6[main]: Certificate loaded from file: C:\Program Files\stunnel\config\mywebsite.pem
 2020.02.24 15:24:37 LOG6[main]: Loading private key from file: C:\Program Files\stunnel\config\mywebsite.pem
 2020.02.24 15:24:37 LOG6[main]: Private key loaded from file: C:\Program Files\stunnel\config\mywebsite.pem
 2020.02.24 15:24:37 LOG7[main]: Private key check succeeded
 2020.02.24 15:24:37 LOG7[main]: ECDH initialization
 2020.02.24 15:24:37 LOG7[main]: ECDH initialized with curve prime256v1
 2020.02.24 15:24:37 LOG5[main]: Configuration successful
 2020.02.24 15:24:37 LOG7[main]: Binding service [https]
 2020.02.24 15:24:37 LOG7[main]: Listening file descriptor created (FD=292)
 2020.02.24 15:24:38 LOG7[main]: Setting accept socket options (FD=292)
 2020.02.24 15:24:38 LOG6[main]: Service [https] (FD=292) bound to 10.0.1.11:442
 2020.02.24 15:24:38 LOG7[main]: Skipped SNI slave service [domain]
 2020.02.24 15:24:38 LOG7[cron]: Cron thread initialized
 2020.02.24 15:25:38 LOG6[cron]: Executing cron jobs
 2020.02.24 15:25:38 LOG6[cron]: Cron jobs completed in 0 seconds
 2020.02.24 15:25:38 LOG7[cron]: Waiting 86400 seconds
 
 
Log Error with port 443:
 
Binding service [https] to 10.0.1.11:443: Permission denied (WSAEACCES) (10013)
 
 
Conf:
 
 ; Debugging stuff (may be useful for troubleshooting)
 debug = 7
 ;output = stunnel.log
 
 ; TLS front-end to a web server
 [https]
 ; doesn't work with 443 below, works with 442
 accept  = 10.0.1.11:442
 connect = 80
 cert = C:\Program Files\stunnel\config\mywebsite.pem
 ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
 ; Microsoft implementations do not use TLS close-notify alert and thus they
 ; are vulnerable to truncation attacks
 TIMEOUTclose = 0
 
 [domain]
 sni = https:mywebsite.com
 sni = https:www.mywebsite.com
 cert = C:\Program Files\stunnel\config\mywebsite.pem
 ; connect = 80
 connect = localhost:80
 client = no
  
 sslVersion = TLSv1.2
 
--------------
 
 
Thanks,
 
Sean
 
 _______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200227/ade351b6/attachment-0001.htm>

More information about the stunnel-users mailing list