[stunnel-users] CAPI_GET_KEY:cryptacquirecontext error
josealf at rocketmail.com
Wed Jun 3 13:59:57 CEST 2020
>On Wednesday, June 3, 2020, 05:22:19 AM GMT-5, Michael S. Chusovitin <tchuss at gmail.com> wrote:
>No luck. The downloaded stunnel 5.56 behaves exactly as 5.48 - it logs "CAPI_GET_KEY:cryptacquirecontext error" or >"CAPI_CTX_SET_PROVNAME:cryptacquirecontext error" (depending on selected csp_name and csp_type).
>Did anyone succeed in getting stunnel+capi work for TLS 1.2 ?
Unlikely. Maybe with OpenSSL 1.0. See below.
>Maybe some OpenSSL configuration commands could help... But I cannot imagine what.>And I did see "You also need to disable TLS 1.2 or later because the CryptoAPI engine currently does not support PSS" phrase in sample >stunnel.conf - isn't it an obsolete restriction?
No. It is a restriction in OpenSSL 1.1.x that won't be fixed. See https://github.com/openssl/openssl/issues/8872
However, in the thread it seems the CAPI engine in OpenSSL 1.0.x works with TLS 1.2... So, Maybe an stunnel compiled against the deprecated OpenSSL 1.0.2 could give better results in your case...
On Wed, Jun 3, 2020 at 12:13 AM Jose Alf. <josealf at rocketmail.com> wrote:
On Tuesday, June 2, 2020, 10:42:30 AM GMT-5, Michael S. Chusovitin <tchuss at gmail.com> wrote:
> Stunnel version is 5.48 with OpenSSL 1.0.2o-fips. (in this very case I need to use 32bit version, so no possibility to upgrade).
Actually, you can upgrade your Windows 32-bit stunnel. Either, you compile your own, or you can get the latest from here:
| | |
Binaries for Stunnel for Win32. Contribute to josealf/stunnel-win32 development by creating an account on GitHub.
stunnel-users mailing list
stunnel-users at stunnel.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the stunnel-users