[stunnel-users] Stunnel 3.50 Win - CAPI stopped working
Malgorzata.Olszowka at stunnel.org
Tue Feb 19 15:32:48 CET 2019
> I have encountered a bug in Stunnel version 3.50. I have a setup with
> two computers (Server and Client) connected using Stunnel. The client is
> using a hardware token through the CAPI engine to authenticate itself to
> a server, using a config file:
> LOG3: error queue: 141F0006: error:141F0006:SSL
> routines:tls_construct_cert_verify:EVP lib
> LOG3: SSL_connect: 8006F074:
> error:8006F074:lib(128):capi_rsa_priv_enc:function not supported
> LOG5: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
> It is quite possible the problem is caused by the CAPI engine itself. I
> was experimenting with OpenSSL 1.1.1a some time back, trying to compile
> my own library files, and I just couldn't to get CAPI to work at all -
> the libraries themselves compiled OK and worked fine, but the CAPI
> engine just wouldn't work (while it was OK with OpenSSL 1.0.2q); the
> only way I could get CAPI to work with OpenSSL 1.1.1a was to use the
> 1.1.1a libraries and the 1.0.2q capi.dll. However, I am far from an
> expert on compiling OpenSSL, so I may have gotten it completely wrong.
> Could someone please verify that their CAPI engine is working with
> Stunnel? Also, it may be worth trying to compile a 64bit CAPI.dll from
> version 1.0.2q just to see if it might start working - in that case, a
> bug report to OpenSSL may be in order.
I was able to replicate this error with Stunnel 5.50 when trying to
connect to a server built with OpenSSL 1.1.1a.
Stunnel 5.50 (client) correctly connects to a server built with OpenSSL
older than 1.1.1
How did you get 1.0.2q capi.dll to work with OpenSSL 1.1.1a?
I placed 1.0.2q capi.dll in the stunnel/engines folder but it didn’t work.
More information about the stunnel-users