[stunnel-users] Client certificate using CAPI

• Next message (by thread): [stunnel-users] Life cycle information
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,
I noticed the following logs:

2017.01.31 18:24:27 LOG3[0]: error queue: 14099006: error:14099006:SSL 
routines:ssl3_send_client_verify:EVP lib
2017.01.31 18:24:27 LOG3[0]: SSL_connect: 80070063: 
error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object

The capi ENGINE in OpenSSL 1.0.2 and earlier uses the CSP attached
to the key for cryptographic operations. Unfortunately this means that 
SHA2 algorithms are not supported for client authentication.

OpenSSL 1.1.0 adds a workaround for this issue. If you disable TLS 1.2 
in earlier versions of OpenSSL it will not use SHA2 for client auth so 
that will also work.

So try to set the global option:
sslVersion = TLSv1.1

Regards.

• Next message (by thread): [stunnel-users] Life cycle information
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]