[stunnel-users] Stunnel 3.50 Win - CAPI stopped working
pepak at seznam.cz
pepak at seznam.cz
Tue Feb 19 17:45:17 CET 2019
>> I have encountered a bug in Stunnel version 3.50. I have a setup with
>> two computers (Server and Client) connected using Stunnel. The client is
>> using a hardware token through the CAPI engine to authenticate itself to
>> a server, using a config file:
>> LOG3: error queue: 141F0006: error:141F0006:SSL
>> routines:tls_construct_cert_verify:EVP lib
>> LOG3: SSL_connect: 8006F074:
>> error:8006F074:lib(128):capi_rsa_priv_enc:function not supported
>> LOG5: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
>> It is quite possible the problem is caused by the CAPI engine itself. I
>> was experimenting with OpenSSL 1.1.1a some time back, trying to compile
>> my own library files, and I just couldn't to get CAPI to work at all -
>> the libraries themselves compiled OK and worked fine, but the CAPI
>> engine just wouldn't work (while it was OK with OpenSSL 1.0.2q); the
>> only way I could get CAPI to work with OpenSSL 1.1.1a was to use the
>> 1.1.1a libraries and the 1.0.2q capi.dll. However, I am far from an
>> expert on compiling OpenSSL, so I may have gotten it completely wrong.
>> Could someone please verify that their CAPI engine is working with
>> Stunnel? Also, it may be worth trying to compile a 64bit CAPI.dll from
>> version 1.0.2q just to see if it might start working - in that case, a
>> bug report to OpenSSL may be in order.
> I was able to replicate this error with Stunnel 5.50 when trying to
> connect to a server built with OpenSSL 1.1.1a.
> Stunnel 5.50 (client) correctly connects to a server built with OpenSSL
> older than 1.1.1
> How did you get 1.0.2q capi.dll to work with OpenSSL 1.1.1a?
> I placed 1.0.2q capi.dll in the stunnel/engines folder but it didn’t work.
> Best regards,
> Małgorzata Olszówka
First of all, of course I made a mistake and wrote about version 3.50
when I meant 5.50.
I am encountering the problem from the client side. I can connect to a
server which is running version 5.50, but I have to use client version
5.49. I can also use a 5.50 client, but only with a standard
encryption engine, not CAPI.
My CAPI experiments were with a completely unrelated product - I was
trying to build an OpenSSL DLL with no external dependencies, and I
believe I ended up using a MinGW build for both 1.1.1 and 1.0.2. Both
32bit, so I can't even test them with the new Stunnel.
More information about the stunnel-users