The latest version of stunnel is 5.50. Do you really use version 3.50 ? Flo
On Fri, Feb 15, 2019 at 8:14 AM <[email protected]> wrote: > Hello, > > I have encountered a bug in Stunnel version 3.50. I have a setup with > two computers (Server and Client) connected using Stunnel. The client is > using a hardware token through the CAPI engine to authenticate itself to > a server, using a config file: > > ----- > fips = no > taskbar = yes > options = NO_SSLv2 > options = NO_SSLv3 > sslVersion = TLSv1.2 > engine = capi > > [my-server] > client = yes > accept = 22 > connect = my.server.com:1234 > requireCert = yes > verifyChain = yes > verifyPeer = yes > CAfile = my-cert-chain.pem > engineId = capi > ----- > > This setup works perfectly in Stunnel 3.49: When I try to connect to > localhost:22, I receive a request to select a certificate and enter its > PIN, and if successful, a connection to my server is established. > > In Stunnel 3.50, the connection fails to complete. The Stunnel log shows: > > LOG5[0]: Service [my-server] accepted connection from 127.0.0.1:49713 > LOG5[0]: s_connect: connected 1.2.3.4:1234 > LOG5[0]: Service [my-server] connected remote server from > 10.11.12.13:49714 > LOG5[0]: Certificate accepted at depth=0: CN=My server > LOG3[0]: error queue: 141F0006: error:141F0006:SSL > routines:tls_construct_cert_verify:EVP lib > LOG3[0]: SSL_connect: 8006F074: > error:8006F074:lib(128):capi_rsa_priv_enc:function not supported > LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket > > However, if I change the engine to the default one and use a certificate > in file, everything works fine. That suggests to me that the problem > lies in the Stunnel's CAPI engine library. > > It is quite possible the problem is caused by the CAPI engine itself. I > was experimenting with OpenSSL 1.1.1a some time back, trying to compile > my own library files, and I just couldn't to get CAPI to work at all - > the libraries themselves compiled OK and worked fine, but the CAPI > engine just wouldn't work (while it was OK with OpenSSL 1.0.2q); the > only way I could get CAPI to work with OpenSSL 1.1.1a was to use the > 1.1.1a libraries and the 1.0.2q capi.dll. However, I am far from an > expert on compiling OpenSSL, so I may have gotten it completely wrong. > > Could someone please verify that their CAPI engine is working with > Stunnel? Also, it may be worth trying to compile a 64bit CAPI.dll from > version 1.0.2q just to see if it might start working - in that case, a > bug report to OpenSSL may be in order. > > Thanks. > > pepak > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
