[stunnel-users] CAPI_GET_KEY:cryptacquirecontext error

Michael S. Chusovitin tchuss at gmail.com
Thu Jun 4 15:57:02 CEST 2020


Thank you Jose. Disappointing but useful to know...

Regards,
Michael

On Wed, Jun 3, 2020 at 3:00 PM Jose Alf. <josealf at rocketmail.com> wrote:

> Michael,
>
> Answers below:
>
>
> >On Wednesday, June 3, 2020, 05:22:19 AM GMT-5, Michael S. Chusovitin <
> tchuss at gmail.com> wrote:
>
>
> >No luck. The downloaded stunnel 5.56 behaves exactly as 5.48 - it logs  "CAPI_GET_KEY:cryptacquirecontext
> error" or >"CAPI_CTX_SET_PROVNAME:cryptacquirecontext error" (depending
> on selected csp_name and csp_type)
> *.*
> >Did anyone succeed in getting stunnel+capi work for TLS 1.2 ?
>
> Unlikely. Maybe with OpenSSL 1.0. See below.
>
> >Maybe some OpenSSL configuration commands could help... But I cannot
> imagine what.
> >And I did see "You also need to disable TLS 1.2 or later because the
> CryptoAPI engine currently does not support PSS" phrase in sample
> >stunnel.conf - isn't it an obsolete restriction?
>
>
> No. It is a restriction in OpenSSL 1.1.x that won't be fixed. See
> https://github.com/openssl/openssl/issues/8872
>
> However, in the thread it seems the CAPI engine in OpenSSL 1.0.x works
> with TLS 1.2... So, Maybe an stunnel compiled against the deprecated
> OpenSSL 1.0.2 could give better results in your case...
>
> Regards,
> Jose
>
>
> On Wed, Jun 3, 2020 at 12:13 AM Jose Alf. <josealf at rocketmail.com> wrote:
>
> Hi Michael,
>
> See below:
>
> On Tuesday, June 2, 2020, 10:42:30 AM GMT-5, Michael S. Chusovitin <
> tchuss at gmail.com> wrote:
>
>
> > Stunnel version is 5.48 with OpenSSL 1.0.2o-fips. (in this very case I
> need to use 32bit version, so no possibility to upgrade).
>
> Actually, you can upgrade your Windows 32-bit stunnel. Either, you compile
> your own, or you can get the latest from here:
>
> josealf/stunnel-win32
> <https://github.com/josealf/stunnel-win32/blob/master/stunnel-testing-win32-5.56-ossl-1.1.1g-installer.exe>
>
> josealf/stunnel-win32
>
> Binaries for Stunnel for Win32. Contribute to josealf/stunnel-win32
> development by creating an account on GitHub.
>
> <https://github.com/josealf/stunnel-win32/blob/master/stunnel-testing-win32-5.56-ossl-1.1.1g-installer.exe>
>
>
>
> Regards,
> Jose
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200604/a7b39638/attachment.htm>


More information about the stunnel-users mailing list