[stunnel-users] Stunnel 3.50 Win - CAPI stopped working

pepak at seznam.cz pepak at seznam.cz
Tue Feb 19 17:45:17 CET 2019

>> I have encountered a bug in Stunnel version 3.50. I have a setup with
>> two computers (Server and Client) connected using Stunnel. The client is
>> using a hardware token through the CAPI engine to authenticate itself to
>> a server, using a config file:
>> -----
>> LOG3[0]: error queue: 141F0006: error:141F0006:SSL 
>> routines:tls_construct_cert_verify:EVP lib
>> LOG3[0]: SSL_connect: 8006F074: 
>> error:8006F074:lib(128):capi_rsa_priv_enc:function not supported
>> LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
>> It is quite possible the problem is caused by the CAPI engine itself. I
>> was experimenting with OpenSSL 1.1.1a some time back, trying to compile
>> my own library files, and I just couldn't to get CAPI to work at all -
>> the libraries themselves compiled OK and worked fine, but the CAPI 
>> engine just wouldn't work (while it was OK with OpenSSL 1.0.2q); the
>> only way I could get CAPI to work with OpenSSL 1.1.1a was to use the
>> 1.1.1a libraries and the 1.0.2q capi.dll. However, I am far from an
>> expert on compiling OpenSSL, so I may have gotten it completely wrong.
>> Could someone please verify that their CAPI engine is working with 
>> Stunnel? Also, it may be worth trying to compile a 64bit CAPI.dll from
>> version 1.0.2q just to see if it might start working - in that case, a
>> bug report to OpenSSL may be in order.

> Hello,
> I was able to replicate this error with Stunnel 5.50 when trying to 
> connect to a server built with OpenSSL 1.1.1a.
> Stunnel 5.50 (client) correctly connects to a server built with OpenSSL
> older than 1.1.1
> How did you get 1.0.2q capi.dll to work with OpenSSL 1.1.1a?
> I placed 1.0.2q capi.dll in the stunnel/engines folder but it didn’t work.

> Best regards,
> Małgorzata Olszówka


First of all, of course I made a mistake and wrote about version 3.50
when I meant 5.50.

I am encountering the problem from the client side. I can connect to a
server which is running version 5.50, but I have to use client version
5.49. I can also use a 5.50 client, but only with a standard
encryption engine, not CAPI.

My CAPI experiments were with a completely unrelated product - I was
trying to build an OpenSSL DLL with no external dependencies, and I
believe I ended up using a MinGW build for both 1.1.1 and 1.0.2. Both
32bit, so I can't even test them with the new Stunnel.


More information about the stunnel-users mailing list