[stunnel-users] Stunnel 3.50 Win - CAPI stopped working

Tue Feb 19 15:32:48 CET 2019

> I have encountered a bug in Stunnel version 3.50. I have a setup with 
> two computers (Server and Client) connected using Stunnel. The client is 
> using a hardware token through the CAPI engine to authenticate itself to 
> a server, using a config file:
> 
> -----
> LOG3[0]: error queue: 141F0006: error:141F0006:SSL 
> routines:tls_construct_cert_verify:EVP lib
> LOG3[0]: SSL_connect: 8006F074: 
> error:8006F074:lib(128):capi_rsa_priv_enc:function not supported
> LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
> 
> It is quite possible the problem is caused by the CAPI engine itself. I 
> was experimenting with OpenSSL 1.1.1a some time back, trying to compile 
> my own library files, and I just couldn't to get CAPI to work at all - 
> the libraries themselves compiled OK and worked fine, but the CAPI 
> engine just wouldn't work (while it was OK with OpenSSL 1.0.2q); the 
> only way I could get CAPI to work with OpenSSL 1.1.1a was to use the 
> 1.1.1a libraries and the 1.0.2q capi.dll. However, I am far from an 
> expert on compiling OpenSSL, so I may have gotten it completely wrong.
> 
> Could someone please verify that their CAPI engine is working with 
> Stunnel? Also, it may be worth trying to compile a 64bit CAPI.dll from 
> version 1.0.2q just to see if it might start working - in that case, a 
> bug report to OpenSSL may be in order.
> 

Hello,
I was able to replicate this error with Stunnel 5.50 when trying to 
connect to a server built with OpenSSL 1.1.1a.
Stunnel 5.50 (client) correctly connects to a server built with OpenSSL 
older than 1.1.1
How did you get 1.0.2q capi.dll to work with OpenSSL 1.1.1a?
I placed 1.0.2q capi.dll in the stunnel/engines folder but it didn’t work.

Best regards,
Małgorzata Olszówka