[stunnel-users] windows certificate store

MichaƂ Trojnara Michal.Trojnara at stunnel.org
Fri Mar 11 10:30:29 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 11.03.2016 07:12, Jim Howland wrote:
> I am running a windows instance of stunnel as a client and  A
> Linux version as the server
> 
> When I set this on the Windows side :
> 
> engine = capi
> 
> and  this in my section:
> 
> engineId = capi
> 
> I get an error message that CApath or CAFile still needs to be set.
> My understanding is that these setting should make stunnel use the
> Windows certificate store to find a root and intermediate
> certificate to authenticate my (Symantec generated) certificate and
> should not require a CAfile.

The CAPI engine does not support verification of peer certificates.
In order to authenticate your server (verify = 3) you still need
CApath or CAfile.  In your configuration CAPI can only perform client
authentication (if this is what you really need).

Best regards,
	Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJW4pA1AAoJEC78f/DUFuAUzy4P/0jrPvrbRzGt33ZiwpUBNpUh
6rV3DWtAN/oy9Ue1Hd1pbtttRTA9k5+IEgLYkmGKKQGmsjTBtFWnBrdnLpoZYas+
c+TzesPj1Mqe9vA6lWd4+Xlnhps4TiEq0QBcDrnJkNz3swkWAGfjnKQpXSJ/R+RV
4lJPpkjnE91kdmV+kFM8mQGwTSzjbrEg0z98KM3aexZ1c4ujtj7GpDlfq0Ywi21Z
udX43OcBOQL4Y4WvmtkyeUO7p3nUrR5WSg3jRMBn40W1tzpKdRVTFUTH5PnyzrRf
c1RRNtupJ0glTeOYagVv8byZdOwgb28rEWkYAbfiGd5DQGy2c2bN0VYsfxEkmOul
WM0LNsOEWEx5MmTnVsEr0cLKwT76PtA/d6UKCDP/XiWFp9V0RN13kCpP/tJsRRLS
SfU4/1tztFs7SyMq91SVrtZRWXDN/557RB01XKe88CoC1AA9h1snn2Dcm4+MV73b
KoBDn0OxkeuUTXLg3qYPntPkhgBaXZosl2qDvjLO63EcI3+iCjIPpb8VI2yIJIzd
7Mp9Zm8+ntvXDzv9YLr7sF+o/a0suXkzaBnZDel73XKkcJ/cP5SR8e50qgvTEWyf
0DEeuounDgXz88l1Mddo/SFVchtbfrnMZMws/VUkMgvPepSejt4GBMlsxL+vvOtX
W0iWe9c3pn6P9zOV1YWm
=xkgg
-----END PGP SIGNATURE-----


More information about the stunnel-users mailing list