Start a conversation
  1. AEM Lyris LM
  2. Lyris LM - Installation
  3. Articles

Enforcing TLS 1.2 or 1.3 in Lyris LM using Stunnel

Overview

Your security team has recommended enforcing TLS 1.2 or 1.3 on your Lyris LM server(s) and you would like to know if this is possible and how to implement it. Note that this works for HTTPS only, while Stunnel can be configured to add TLS 1.3 for incoming StartTLS SMTP connections as well.

Solution

Important for ListManager 12.4.11 and later

Starting with ListManager 12.4.11, ListManager supports TLS 1.3 natively for HTTPS traffic. Because of this, Stunnel is no longer required solely to provide modern HTTPS transport security.

Use this article only if your environment still requires Stunnel as an additional proxy or TLS termination layer for deployment-specific reasons. The procedural steps below remain relevant for that type of deployment.

Install Stunnel

Download Stunnel and install it to the default location:

C:Program Files (x86)stunnel

Make the following changes to the configuration:

C:Program Files (x86)stunnelconfigstunnel.conf - you can replace the file with the sample below after updating listserver_domain.com for your environment.

; select the SSL/TLS versions to serve outside world with - TLS 1.2 only in this case
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1_1
sslVersion = TLSv1.2

[https]
; replace listserver_domain.com with the domain used
accept = listserver_domain.com:443
; internal proxy to ListManager with a localhost port 8080 connection
connect = 127.0.0.1:8080
; the path to the public and private certificates, same folder as stunnel.conf in this case
cert = ./cert.pem
key = ./certKey.pem
TIMEOUTclose = 0
; ciphers to use, these are the A++ rating ciphers for TLS 1.2
ciphers = ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES:!AES128:!CAMELLIA128:!ECDHE-RSA-AES256-SHA:!ECDHE-ECDSA-AES256-SHA:!CBC

C:Program Files (x86)ListManager clwebin clhttpd.rc

# the host can be the same as it was, but it's preferable to listen to localhost only
Config ipaddr {127.0.0.1}
Config host {localhost}
# we change the port to 8080 for non-secure HTTP connections, they'll be served only on localhost
Config port 8080
# disable HTTPS on the ListManager side
Config USE_SSL2 0
Config USE_SSL3 0
Config USE_TLS1 0

Install Stunnel service

Execute the following in a command line run with Administrator permissions:

"C:Program Files (x86)stunnelinstunnel.exe" -install

Start the Stunnel service

Modify Sites to use HTTPS

After making those changes, use https://yourdomain.com/ to access the admin interface. In Utilities : Administration : Sites, ensure that all sites have https:// selected in the URL to web interface option.

Confirm the HTTPS security with SSLLABS

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments