[stunnel-users] Using CAPI Engine for client authentication

Shay Cohen shayco at gmail.com
Sun Feb 21 10:23:59 CET 2016


Hi,

I was using stunnel 5.28; Upgraded to 5.31b2

re-testing with 5.31b2, adding 'key=CN', debug=info
--- Config
debug = info
engine = capi
engineCtrl = debug_level:2
engineCtrl = debug_file:c:\keys\capi.txt
key = 1.2.3.4
CAfile = c:\cacert.pem
verify = 2
#options = NO_TLSv1.1
[test]
engineId = capi
client = yes
accept = 0.0.0.0:9001
connect = 1.2.3.4:9000

--- Stunnel log file
LOG5[main]: Reading configuration from file stunnel.conf
LOG5[main]: UTF-8 byte order mark detected
LOG6[main]: Engine #1 (capi) initialized
LOG5[main]: FIPS mode disabled
LOG6[main]: Initializing service [test]
LOG6[main]: Client certificate engine (capi) enabled
LOG4[main]: Service [test] uses "verify = 2" without subject checks
LOG4[main]: Use "checkHost" or "checkIP" to restrict trusted certificates
LOG5[main]: Configuration successful
LOG5[10]: Service [test] accepted connection from 127.0.0.1:49960
LOG6[10]: s_connect: connecting 1.2.3.4:9000
LOG5[10]: s_connect: connected 1.2.3.4:9000
LOG5[10]: Service [test] connected remote server from 10.0.2.15:49961
LOG6[10]: SNI: sending servername: 1.2.3.4
LOG6[10]: Certificate accepted at depth=1: C=US, ST=New Yorl, O=company1,
OU=depdev, CN=1.2.3.4, emailAddress=e at mail.com
LOG5[10]: Certificate accepted at depth=0: C=US, ST=New York, L=New York,
O=company1, OU=depdev, CN=1.2.3.4, emailAddress=e at mail.com
LOG6[10]: No client CA list
LOG6[10]: No client CA list
LOG6[10]: No client CA list
LOG6[10]: No client CA list
LOG6[10]: No client CA list
LOG6[10]: No client CA list
LOG6[10]: No client CA list
LOG6[10]: No client CA list
LOG3[10]: SSL_connect: 14094410: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure
LOG5[10]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket

--- capi.txt
Opening Certificate Store: MY

Thank you,
Shay

On Fri, Feb 19, 2016 at 9:51 PM, Michał Trojnara <
Michal.Trojnara at stunnel.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 18.02.2016 10:47, Shay Cohen wrote:
> > But in this case it does not get the certificate (for some reason).
> >
> I forgot to ask the obvious question:
> Which version of stunnel do you use?
>
> At least for the private key, you may specify its name with
> "key = <the common name of your client certificate>".
> I haven't tested it for the "cert" option and the CAPI engine.
>
> I also updated stunnel to include some additional details for client
> certificates requested by the server:
> https://www.stunnel.org/downloads/beta/stunnel-5.31b2-installer.exe
> Please send us the log files it produces with "debug = info".
>
> Best regards,
>         Mike
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJWx3JDAAoJEC78f/DUFuAUG40P/1uTdRdTUjogRj6CzxVgjOmt
> K2NKa3x7xy5gu4ahoX6LK6oBaMIpjObunwjYL1Kp11OBUE2dqXAMYy6bfQ0HLNN6
> tjqTgL1k1bs1ea5yzcsici7dqymCL7gMNn7vHaguX9GigOMQtrLrGHwllAC03Rz+
> VVyMSY+x44sTn5H/09oaOs9bY1sJlwfoiivZEgrEI0H5xLHQpaI9li5QOZKU5XOa
> Am50a50/mWk8r56YEOzA3pYA9MxoGtQSj+e6Njn/3h883sdMEMRw5i28DOucUcId
> u26MSrmf6po4LHWKlw08G6Dge/09/RRhvaC31IKPguhuKRJfMI7+5upQ+MITNlwd
> /YU0YI7TnfdZNSjZ+dxA1ZdoP2SnpVFVyBExqglgKymd2Ej+8IjW1M+IlUJgGFPX
> vSzOanVs6/lsW3PTTz2KcNiCpINsp/Uz9jNHhrXq+laaQLfzuyyZv4JdZrGnBcE1
> Emni7a56lu7rcXjUGvq/YfqZ3bZyCD4OQPXfPmuYDMNPjHisqdJlQOnUUeKvwI0E
> mVc302UB8sF1/jalb4mTsgC3Wr94KTItuvg+7DQG+9aF991MDBxoIzlMStKyrnX/
> U5+Cvv2OO5Zg/1YfywVV6z+cgee05zM+ACq3v8hlEEFkeFBZ3CPVKvJO+FvQ84l9
> Kfi7i0cgZFzeCA+c7Tkr
> =NpFK
> -----END PGP SIGNATURE-----
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20160221/fce55a43/attachment.html>


More information about the stunnel-users mailing list