<div dir="ltr"><div>Thank you Jose. Disappointing but useful to know...</div><div><br></div><div>Regards,</div><div>Michael<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 3, 2020 at 3:00 PM Jose Alf. <<a href="mailto:josealf@rocketmail.com">josealf@rocketmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:13px"><div></div>
        <div dir="ltr">Michael,</div><div dir="ltr"><br></div><div dir="ltr">Answers below:</div><div dir="ltr"><br></div><div><br></div>
        
        </div><div id="gmail-m_7636268581078510290ydpf97bc5d5yahoo_quoted_1963029058">
            <div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;color:rgb(38,40,42)">
                
                <div>>On Wednesday, June 3, 2020, 05:22:19 AM GMT-5, Michael S. Chusovitin <<a href="mailto:tchuss@gmail.com" target="_blank">tchuss@gmail.com</a>> wrote:
                </div>
                <div><br></div>
                <div><br></div>
                <div><div id="gmail-m_7636268581078510290ydpf97bc5d5yiv5951367048"><div dir="ltr">
<div>>No luck. The downloaded stunnel 5.56 behaves exactly as 5.48 - it logsĀ 
"<span lang="EN-US">CAPI_GET_KEY:cryptacquirecontext error"</span>

 or >"<span lang="EN-US">CAPI_CTX_SET_PROVNAME:cryptacquirecontext error"<b> </b>(depending on selected csp_name and csp_type)<b>.<br clear="none"></b></span></div><div dir="ltr"><span><span style="color:rgb(38,40,42);font-family:Helvetica Neue,Helvetica,Arial,sans-serif">></span></span>Did anyone succeed in getting stunnel+capi work for TLS 1.2 ?</div><div dir="ltr"><br></div><div dir="ltr">Unlikely. Maybe with OpenSSL 1.0. See below.</div><div><br></div><div>>Maybe some OpenSSL configuration commands could help... But I cannot imagine what.</div><div>>And I did see "You also need to disable TLS 1.2 or later because the CryptoAPI engine currently does not support PSS" phrase in sample >stunnel.conf - isn't it an obsolete restriction?</div><div><br clear="none"></div><div><br></div><div dir="ltr"><div dir="ltr">No. It is a restriction in OpenSSL 1.1.x that won't be fixed. SeeĀ <a href="https://github.com/openssl/openssl/issues/8872" rel="nofollow" target="_blank">https://github.com/openssl/openssl/issues/8872</a></div><div dir="ltr"><br></div>However, in the thread it seems the CAPI engine in OpenSSL 1.0.x works with TLS 1.2... So, Maybe an stunnel compiled against the deprecated OpenSSL 1.0.2 could give better results in your case...</div><div dir="ltr"><br></div><div dir="ltr">Regards,</div><div dir="ltr">Jose</div><div><br></div><div><br></div></div><div id="gmail-m_7636268581078510290ydpf97bc5d5yiv5951367048yqt97609"><div><div dir="ltr">On Wed, Jun 3, 2020 at 12:13 AM Jose Alf. <<a shape="rect" href="mailto:josealf@rocketmail.com" rel="nofollow" target="_blank">josealf@rocketmail.com</a>> wrote:<br clear="none"></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif;font-size:13px"><div></div>
        <div dir="ltr">Hi Michael,</div><div dir="ltr"><br clear="none"></div><div dir="ltr">See below:</div><div><br clear="none"></div>
        
        </div><div id="gmail-m_7636268581078510290ydpf97bc5d5yiv5951367048gmail-m_-2866598122373902680ydp9381a55byahoo_quoted_1895285137">
            <div style="font-size:13px;color:rgb(38,40,42)">
                
                <div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif">
                    On Tuesday, June 2, 2020, 10:42:30 AM GMT-5, Michael S. Chusovitin <<a shape="rect" href="mailto:tchuss@gmail.com" rel="nofollow" target="_blank">tchuss@gmail.com</a>> wrote:
                </div>
                <div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><br clear="none"></div>
                <div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><br clear="none"></div><div><div id="gmail-m_7636268581078510290ydpf97bc5d5yiv5951367048gmail-m_-2866598122373902680ydp9381a55byiv0229049510"><div dir="ltr"><div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><span lang="EN-US">> Stunnel version is 5.48 with OpenSSL 1.0.2o-fips. (in this very case I need to use 32bit version, so no possibility to upgrade).<br clear="none"></span></div><div style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif"><span lang="EN-US"><br clear="none"></span></div><div dir="ltr"><span lang="EN-US">Actually, you can upgrade your Windows 32-bit stunnel. Either, you compile your own, or you can get the latest from here:</span></div><div dir="ltr"><span lang="EN-US"><br clear="none"></span></div><div dir="ltr"><div><div><a shape="rect" href="https://github.com/josealf/stunnel-win32/blob/master/stunnel-testing-win32-5.56-ossl-1.1.1g-installer.exe" rel="nofollow" target="_blank">josealf/stunnel-win32</a></div><div><br></div><div id="gmail-m_7636268581078510290ydpf8f4941benhancr_card_1860694046" style="max-width:400px;font-family:YahooSans,Helvetica Neue,Segoe UI,Helvetica,Arial,sans-serif"><a href="https://github.com/josealf/stunnel-win32/blob/master/stunnel-testing-win32-5.56-ossl-1.1.1g-installer.exe" style="text-decoration:none;color:rgb(0,0,0)" rel="nofollow" target="_blank"><table style="max-width:400px" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td width="400"><table style="max-width:400px;border-width:1px;border-style:solid;border-color:rgb(224,228,233);border-radius:2px" width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="background-color:rgb(0,0,0);background-size:cover;border-radius:2px 2px 0px 0px;min-height:175px" valign="top" height="175" bgcolor="#000000"><table style="width:100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="background-color:transparent;border-radius:2px 2px 0px 0px;min-height:175px" valign="top" bgcolor="transparent"><table style="width:100%;min-height:175px" height="175" border="0"><tbody><tr><td style="text-align:left;padding:15px 0px 0px 15px;vertical-align:top"></td><td style="text-align:right;padding:15px 15px 0px 0px;vertical-align:top"><div></div></td></tr></tbody></table></td></tr></tbody></table></td></tr><tr><td><table style="background:rgb(255,255,255) none repeat scroll 0% 0%;width:100%;max-width:400px;border-radius:0px 0px 2px 2px;border-top:1px solid rgb(224,228,233)" cellspacing="0" cellpadding="0" border="0" align="center"><tbody><tr><td style="background-color:rgb(255,255,255);padding:16px 0px 16px 12px;vertical-align:top;border-radius:0px 0px 0px 2px"><img src="https://s.yimg.com/nq/storm/assets/enhancrV2/23/logos/github.png" style="min-width: 36px; margin-top: 3px;" height="36"></td><td style="vertical-align:middle;padding:12px 24px 16px 12px;width:99%;font-family:YahooSans,Helvetica Neue,Segoe UI,Helvetica,Arial,sans-serif;border-radius:0px 0px 2px"><h2 style="font-size:14px;line-height:19px;margin:0px 0px 6px;font-family:YahooSans,Helvetica Neue,Segoe UI,Helvetica,Arial,sans-serif;color:rgb(38,40,42);max-width:314px">josealf/stunnel-win32</h2><p style="font-size:12px;line-height:16px;margin:0px;color:rgb(151,155,167)">Binaries for Stunnel for Win32. Contribute to josealf/stunnel-win32 development by creating an account on GitHub.</p></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></a></div><div><br></div><div><br></div><div><br clear="none"></div></div></div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif">Regards,</div><div dir="ltr" style="font-family:Helvetica Neue,Helvetica,Arial,sans-serif">Jose</div></div></div></div></div>
            </div>
        </div></div></blockquote></div></div></div><div id="gmail-m_7636268581078510290ydpf97bc5d5yqt37978">_______________________________________________<br clear="none">stunnel-users mailing list<br clear="none"><a shape="rect" href="mailto:stunnel-users@stunnel.org" rel="nofollow" target="_blank">stunnel-users@stunnel.org</a><br clear="none"><a shape="rect" href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" rel="nofollow" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br clear="none"></div></div>
            </div>
        </div></div></blockquote></div>