Start a conversation
  1. AEM Lyris LM
  2. Lyris LM - Installation
  3. Articles

Enforcing TLS 1.2 or 1.3 in Lyris LM using Stunnel

 

Overview

Your security team has recommended enforcing TLS 1.2 or 1.3 on your Lyris LM server(s) and you would like to know if this is possible and how to implement it.  Note that this works for HTTPS only, while Stunnel can be configured to add TLS 1.3 for incoming StartTLS SMTP connections as well.

Solution

This is covered by the Enforcing TLS 1.2 or 1.3 in Lyris LM using Nginx Reverse Proxy article, but as that solution is quite complex, we've created this backup article for doing the same with Stunnel, which makes it easier to work with single-domain installs. For multi-domain installations, it might require you to figure out the SNI forwarding on the Stunnel side.

 

Install Stunnel

Download Stunnel and install it to the default location, it will get installed to

C:\Program Files (x86)\stunnel
 

Make the following changes to the configuration:

C:\Program Files (x86)\stunnel\config\stunnel.conf - as the commented lines don't matter you can replace the file with the ones below replacing listserver_domain.com with the domain used

; select the SSL/TLS versions to serve outside world with - TLS 1.2 only in this case
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1_1
sslVersion = TLSv1.2

[https] 
; replace listserver_domain.com with the domain used
accept = listserver_domain.com:443 
; internal proxy to ListManager with a localhost port 8080 connection
connect = 127.0.0.1:8080 
; the path to the public and private certificates, same folder as stunnel.conf in this case
cert = ./cert.pem 
key = ./certKey.pem
TIMEOUTclose = 0
; ciphers to use, these are the A++ rating ciphers for TLS 1.2
ciphers = ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES:!AES128:!CAMELLIA128:!ECDHE-RSA-AES256-SHA:!ECDHE-ECDSA-AES256-SHA:!CBC

C:\Program Files (x86)\ListManager\tclweb\bin\tclhttpd.rc

# the host can be the same as it was, but it's preferable to listen to localhost only
Config ipaddr {127.0.0.1}
Config host {localhost}
# we change the port to 8080 for non-secure HTTP connections, they'll be served only on localhost
Config port 8080
# disable HTTPS on the ListManager side
Config USE_SSL2 0
Config USE_SSL3 0
Config USE_TLS1 0


 Install Stunnel service

Execute the following in a command line ran with Administrator permissions:

"C:\Program Files (x86)\stunnel\bin\stunnel.exe" -install


 Start the Stunnel service


 Modify Sites to use HTTPS

After making those changes, use the https://yourdomain.com/ to access the admin interface and in

Utilities : Administration : Sites ensure that all sites have https:// selected in the URL to web interface: option.

 

Confirm the HTTPS security with SSLLABS

 

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments