Hi, I was using stunnel 5.28; Upgraded to 5.31b2
re-testing with 5.31b2, adding 'key=CN', debug=info --- Config debug = info engine = capi engineCtrl = debug_level:2 engineCtrl = debug_file:c:\keys\capi.txt key = 1.2.3.4 CAfile = c:\cacert.pem verify = 2 #options = NO_TLSv1.1 [test] engineId = capi client = yes accept = 0.0.0.0:9001 connect = 1.2.3.4:9000 --- Stunnel log file LOG5[main]: Reading configuration from file stunnel.conf LOG5[main]: UTF-8 byte order mark detected LOG6[main]: Engine #1 (capi) initialized LOG5[main]: FIPS mode disabled LOG6[main]: Initializing service [test] LOG6[main]: Client certificate engine (capi) enabled LOG4[main]: Service [test] uses "verify = 2" without subject checks LOG4[main]: Use "checkHost" or "checkIP" to restrict trusted certificates LOG5[main]: Configuration successful LOG5[10]: Service [test] accepted connection from 127.0.0.1:49960 LOG6[10]: s_connect: connecting 1.2.3.4:9000 LOG5[10]: s_connect: connected 1.2.3.4:9000 LOG5[10]: Service [test] connected remote server from 10.0.2.15:49961 LOG6[10]: SNI: sending servername: 1.2.3.4 LOG6[10]: Certificate accepted at depth=1: C=US, ST=New Yorl, O=company1, OU=depdev, CN=1.2.3.4, [email protected] LOG5[10]: Certificate accepted at depth=0: C=US, ST=New York, L=New York, O=company1, OU=depdev, CN=1.2.3.4, [email protected] LOG6[10]: No client CA list LOG6[10]: No client CA list LOG6[10]: No client CA list LOG6[10]: No client CA list LOG6[10]: No client CA list LOG6[10]: No client CA list LOG6[10]: No client CA list LOG6[10]: No client CA list LOG3[10]: SSL_connect: 14094410: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure LOG5[10]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket --- capi.txt Opening Certificate Store: MY Thank you, Shay On Fri, Feb 19, 2016 at 9:51 PM, Michał Trojnara < [email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 18.02.2016 10:47, Shay Cohen wrote: > > But in this case it does not get the certificate (for some reason). > > > I forgot to ask the obvious question: > Which version of stunnel do you use? > > At least for the private key, you may specify its name with > "key = <the common name of your client certificate>". > I haven't tested it for the "cert" option and the CAPI engine. > > I also updated stunnel to include some additional details for client > certificates requested by the server: > https://www.stunnel.org/downloads/beta/stunnel-5.31b2-installer.exe > Please send us the log files it produces with "debug = info". > > Best regards, > Mike > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJWx3JDAAoJEC78f/DUFuAUG40P/1uTdRdTUjogRj6CzxVgjOmt > K2NKa3x7xy5gu4ahoX6LK6oBaMIpjObunwjYL1Kp11OBUE2dqXAMYy6bfQ0HLNN6 > tjqTgL1k1bs1ea5yzcsici7dqymCL7gMNn7vHaguX9GigOMQtrLrGHwllAC03Rz+ > VVyMSY+x44sTn5H/09oaOs9bY1sJlwfoiivZEgrEI0H5xLHQpaI9li5QOZKU5XOa > Am50a50/mWk8r56YEOzA3pYA9MxoGtQSj+e6Njn/3h883sdMEMRw5i28DOucUcId > u26MSrmf6po4LHWKlw08G6Dge/09/RRhvaC31IKPguhuKRJfMI7+5upQ+MITNlwd > /YU0YI7TnfdZNSjZ+dxA1ZdoP2SnpVFVyBExqglgKymd2Ej+8IjW1M+IlUJgGFPX > vSzOanVs6/lsW3PTTz2KcNiCpINsp/Uz9jNHhrXq+laaQLfzuyyZv4JdZrGnBcE1 > Emni7a56lu7rcXjUGvq/YfqZ3bZyCD4OQPXfPmuYDMNPjHisqdJlQOnUUeKvwI0E > mVc302UB8sF1/jalb4mTsgC3Wr94KTItuvg+7DQG+9aF991MDBxoIzlMStKyrnX/ > U5+Cvv2OO5Zg/1YfywVV6z+cgee05zM+ACq3v8hlEEFkeFBZ3CPVKvJO+FvQ84l9 > Kfi7i0cgZFzeCA+c7Tkr > =NpFK > -----END PGP SIGNATURE----- > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
