[stunnel-users] Stunnel in server mode with certificate from the Windows Certificate Store

• Previous message (by thread): [stunnel-users] Connect using TLS with public Web Server
• Next message (by thread): [stunnel-users] [PATCH] Spectre v2 Vulnerability Mitigations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I'm trying to use stunnel in server mode with certificates from the Windows Certificate Store.
I have a basic configuration which is working with a PEM certificate file and I'm trying to get it
to use a cert via the CAPI engine.

Here is my basic (working) config:

debug = debug
output = C:\stunnel\stunnel.log

options = -NO_SSLv3


[https]
accept  = 443
connect = 80
cert = stunnel.pem




Here is my config using the CAPI engine:

debug = debug
output = C:\stunnel\stunnel.log

engine = capi
engineCtrl = debug_level:2
engineCtrl = debug_file:c:\stunnel\capi.log
engineCtrl = store_flags:1
engineCtrl = list_certs

options = -NO_SSLv3

[https]
accept  = 443
connect = 80
engineId = capi




However stunnel does not seem to find a certificate to use:

[...]
2018.03.06 10:22:05 LOG7[main]: Enabling support for engine "capi"
2018.03.06 10:22:05 LOG7[main]: Executing engine control command debug_level:2
2018.03.06 10:22:05 LOG7[main]: Executing engine control command debug_file:c:\stunnel\capi.log
2018.03.06 10:22:05 LOG7[main]: Executing engine control command store_flags:1
2018.03.06 10:22:05 LOG7[main]: Executing engine control command list_certs
2018.03.06 10:22:05 LOG7[main]: Initializing engine #1 (capi)
2018.03.06 10:22:05 LOG6[main]: Engine #1 (capi) initialized
[...]
2018.03.06 10:22:05 LOG6[main]: Initializing service [https]
2018.03.06 10:22:05 LOG7[main]: Ciphers: HIGH:!DH:!aNULL:!SSLv2
2018.03.06 10:22:05 LOG7[main]: TLS options: 0x01004004 (+0x03004000, -0x02000000)
2018.03.06 10:22:05 LOG7[main]: No certificate or private key specified
[...]


And I have no certificates listed in the CAPI debug log:

Setting debug level to 2
Setting debug file to c:\stunnel\capi.log
Setting flags to 1
Listing certs for store MY
Opening certificate store MY
capi_cert_get_fname


When I load the engine via OpenSSL, I can see that a certificate is present in the store:

C:\stunnel\bin>openssl.exe engine -t dynamic -pre "SO_PATH:C:\stunnel\engines\capi.dll" -pre LOAD -post store_flags:1 -post store_name:MY -post list_certs
WARNING: can't open config file: /devel/win32/openssl/openssl.cnf
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:C:\stunnel\engines\capi.dll
[Success]: LOAD
Loaded: (capi) CryptoAPI ENGINE
     [ available ]
[Success]: store_flags:1
Certificate 0
  Friendly Name "test"
  Subject: CN = test
  Issuer: CN = test
[Success]: list_certs


This certificate (and the associated private key) has been generated via the IIS Manager console and I have imported it in the Local Computer Store (with the private key).


Does anybody have any idea what I am missing to get this to work ?

I can provide more logs and run more tests if necessary.
I'm using Stunnel 5.44 on Windows 2008 R2. I tried with an older version (5.40) but same problem.


Thanks.

Kevin

• Previous message (by thread): [stunnel-users] Connect using TLS with public Web Server
• Next message (by thread): [stunnel-users] [PATCH] Spectre v2 Vulnerability Mitigations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]