[stunnel-users] How to use stunnel as a HTTPS to HTTPS reverse proxy

Claudio Beretta claudio.beretta at helloinnovation.com
Tue Feb 23 18:13:36 CET 2016

I'd like Stunnel to act as a reverse proxy that accepts TLS 1.0 and TLS 1.2
for https://example.com and then forwards the traffic to https://example.net,
another web server that only accepts TLS 1.2
browser --TLS 1.0 or 1.2--> Stunnel --TLS 1.2--> Web App

The browser should have no idea that example.net even exists (only
example.com certificate will be presented to the browser).
Is this something Stunnel can do?

This is what I got so far:

cert = example.com.pem

client = yes
accept =
connect = localhost:54323
CAfile = sca.server1.crt.pem
;verify = 2

client = no
accept = localhost:54323
connect = example.net:443
;CAfile = SymantecClass3EVSSLCA-G3.pem

example.com.pem contains the public and decrypted private key for
sca.server1.crt.pem contains the intermediate and root certificates of the
CA that issues the example.com.pem certificate

It partially works: the browser shows example.com in the address bad and
the content of example.net, but the certificate that is returned is from

What am I doing wrong?
Or do you have other recommendations to get something like this working on
Windows Server 2008 R2? (IIS + Application Request Routing + URL Rewrite
won't work: TLS1.2 is not properly supported)

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20160223/d011b795/attachment.html>

More information about the stunnel-users mailing list