The latest version of stunnel is 5.50. Do you really use version 3.50 ?

Flo

On Fri, Feb 15, 2019 at 8:14 AM <pepak@seznam.cz> wrote:
Hello,

I have encountered a bug in Stunnel version 3.50. I have a setup with
two computers (Server and Client) connected using Stunnel. The client is
using a hardware token through the CAPI engine to authenticate itself to
a server, using a config file:

-----
fips = no
taskbar = yes
options = NO_SSLv2
options = NO_SSLv3
sslVersion = TLSv1.2
engine = capi

[my-server]
client = yes
accept = 22
connect = my.server.com:1234
requireCert = yes
verifyChain = yes
verifyPeer = yes
CAfile = my-cert-chain.pem
engineId = capi
-----

This setup works perfectly in Stunnel 3.49: When I try to connect to
localhost:22, I receive a request to select a certificate and enter its
PIN, and if successful, a connection to my server is established.

In Stunnel 3.50, the connection fails to complete. The Stunnel log shows:

LOG5[0]: Service [my-server] accepted connection from 127.0.0.1:49713
LOG5[0]: s_connect: connected 1.2.3.4:1234
LOG5[0]: Service [my-server] connected remote server from 10.11.12.13:49714
LOG5[0]: Certificate accepted at depth=0: CN=My server
LOG3[0]: error queue: 141F0006: error:141F0006:SSL
routines:tls_construct_cert_verify:EVP lib
LOG3[0]: SSL_connect: 8006F074:
error:8006F074:lib(128):capi_rsa_priv_enc:function not supported
LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

However, if I change the engine to the default one and use a certificate
in file, everything works fine. That suggests to me that the problem
lies in the Stunnel's CAPI engine library.

It is quite possible the problem is caused by the CAPI engine itself. I
was experimenting with OpenSSL 1.1.1a some time back, trying to compile
my own library files, and I just couldn't to get CAPI to work at all -
the libraries themselves compiled OK and worked fine, but the CAPI
engine just wouldn't work (while it was OK with OpenSSL 1.0.2q); the
only way I could get CAPI to work with OpenSSL 1.1.1a was to use the
1.1.1a libraries and the 1.0.2q capi.dll. However, I am far from an
expert on compiling OpenSSL, so I may have gotten it completely wrong.

Could someone please verify that their CAPI engine is working with
Stunnel? Also, it may be worth trying to compile a 64bit CAPI.dll from
version 1.0.2q just to see if it might start working - in that case, a
bug report to OpenSSL may be in order.

Thanks.

pepak
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users