[stunnel-users] Client certificate using CAPI

Małgorzata Olszówka gosia at olszowka.net
Wed Feb 1 10:55:25 CET 2017

I noticed the following logs:

2017.01.31 18:24:27 LOG3[0]: error queue: 14099006: error:14099006:SSL 
routines:ssl3_send_client_verify:EVP lib
2017.01.31 18:24:27 LOG3[0]: SSL_connect: 80070063: 
error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object

The capi ENGINE in OpenSSL 1.0.2 and earlier uses the CSP attached
to the key for cryptographic operations. Unfortunately this means that 
SHA2 algorithms are not supported for client authentication.

OpenSSL 1.1.0 adds a workaround for this issue. If you disable TLS 1.2 
in earlier versions of OpenSSL it will not use SHA2 for client auth so 
that will also work.

So try to set the global option:
sslVersion = TLSv1.1


More information about the stunnel-users mailing list