0

I have a webservice running on a Windows Server 2012R2 with sTunnel 4.52 installed.

I can post to https with no problems, but another company need to post to the same web server and they say that they can't because SSL verification. I'm told that I have to support one of the following:

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

I have a paid SSL certificate installed, here is my stunnel.conf the pem files was created from my pfx file.

sslVersion = all
fips = no

; TLS front-end to a web server
[https]
accept  = 90100
connect = 98010
cert = C:\Program Files (x86)\stunnel\bin\publiccert.pem
key = C:\Program Files (x86)\stunnel\bin\privatekey.pem
TIMEOUTclose = 0

What will I need to add to be able to support one of the above ciphers.

Thanks for any help. Kim

Kim HJ
  • 1,183
  • 2
  • 11
  • 37
  • This isn't programming and probably belongs on superuser, but: openssl version is more important than stunnel; in Explorer go to install dir (typically \program files (x86)\stunnel\bin), rightclick ssleay32.dll, Properties. But it's unlikely to be the ciphersuite(s); even 0.9.8-fips in upstream win32 build for 4.52, and other openssl versions current in 2012, support several of those ciphersuites. It's more likely protocol version (openssl didn't implement TLS1.1 and TLS1.2 until 1.0.2 in 2014) or since they say 'verification' your cert chain. What does it say in your log window or file? – dave_thompson_085 Apr 22 '20 at 21:15
  • I update the openssl. Here is some entries from the log and it looks like it get accepted. Service [https] accepted connection from 35.139.141.182:62886 2020.04.22 19:06:56 LOG6[19729]: Peer certificate not required 2020.04.22 19:06:56 LOG6[19729]: TLS accepted: new session negotiated 2020.04.22 19:06:56 LOG6[19729]: No peer certificate received 2020.04.22 19:06:56 LOG6[19729]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) – Kim HJ Apr 22 '20 at 23:42

0 Answers0