[stunnel-users] Stunnel 3.50 Win - CAPI stopped working

• Previous message (by thread): [stunnel-users] Stunnel 3.50 Win - CAPI stopped working
• Next message (by thread): [stunnel-users] Stunnel 3.50 Win - CAPI stopped working
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The latest version of stunnel is 5.50. Do you really use version 3.50 ?

Flo

On Fri, Feb 15, 2019 at 8:14 AM <pepak at seznam.cz> wrote:

> Hello,
>
> I have encountered a bug in Stunnel version 3.50. I have a setup with
> two computers (Server and Client) connected using Stunnel. The client is
> using a hardware token through the CAPI engine to authenticate itself to
> a server, using a config file:
>
> -----
> fips = no
> taskbar = yes
> options = NO_SSLv2
> options = NO_SSLv3
> sslVersion = TLSv1.2
> engine = capi
>
> [my-server]
> client = yes
> accept = 22
> connect = my.server.com:1234
> requireCert = yes
> verifyChain = yes
> verifyPeer = yes
> CAfile = my-cert-chain.pem
> engineId = capi
> -----
>
> This setup works perfectly in Stunnel 3.49: When I try to connect to
> localhost:22, I receive a request to select a certificate and enter its
> PIN, and if successful, a connection to my server is established.
>
> In Stunnel 3.50, the connection fails to complete. The Stunnel log shows:
>
> LOG5[0]: Service [my-server] accepted connection from 127.0.0.1:49713
> LOG5[0]: s_connect: connected 1.2.3.4:1234
> LOG5[0]: Service [my-server] connected remote server from
> 10.11.12.13:49714
> LOG5[0]: Certificate accepted at depth=0: CN=My server
> LOG3[0]: error queue: 141F0006: error:141F0006:SSL
> routines:tls_construct_cert_verify:EVP lib
> LOG3[0]: SSL_connect: 8006F074:
> error:8006F074:lib(128):capi_rsa_priv_enc:function not supported
> LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
>
> However, if I change the engine to the default one and use a certificate
> in file, everything works fine. That suggests to me that the problem
> lies in the Stunnel's CAPI engine library.
>
> It is quite possible the problem is caused by the CAPI engine itself. I
> was experimenting with OpenSSL 1.1.1a some time back, trying to compile
> my own library files, and I just couldn't to get CAPI to work at all -
> the libraries themselves compiled OK and worked fine, but the CAPI
> engine just wouldn't work (while it was OK with OpenSSL 1.0.2q); the
> only way I could get CAPI to work with OpenSSL 1.1.1a was to use the
> 1.1.1a libraries and the 1.0.2q capi.dll. However, I am far from an
> expert on compiling OpenSSL, so I may have gotten it completely wrong.
>
> Could someone please verify that their CAPI engine is working with
> Stunnel? Also, it may be worth trying to compile a 64bit CAPI.dll from
> version 1.0.2q just to see if it might start working - in that case, a
> bug report to OpenSSL may be in order.
>
> Thanks.
>
> pepak
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190218/299b1889/attachment.html>

• Previous message (by thread): [stunnel-users] Stunnel 3.50 Win - CAPI stopped working
• Next message (by thread): [stunnel-users] Stunnel 3.50 Win - CAPI stopped working
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]