I have encountered a bug in Stunnel version 3.50. I have a setup with
two computers (Server and Client) connected using Stunnel. The client is
using a hardware token through the CAPI engine to authenticate itself to
a server, using a config file:
-----
LOG3[0]: error queue: 141F0006: error:141F0006:SSL
routines:tls_construct_cert_verify:EVP lib
LOG3[0]: SSL_connect: 8006F074:
error:8006F074:lib(128):capi_rsa_priv_enc:function not supported
LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
It is quite possible the problem is caused by the CAPI engine itself. I
was experimenting with OpenSSL 1.1.1a some time back, trying to compile
my own library files, and I just couldn't to get CAPI to work at all -
the libraries themselves compiled OK and worked fine, but the CAPI
engine just wouldn't work (while it was OK with OpenSSL 1.0.2q); the
only way I could get CAPI to work with OpenSSL 1.1.1a was to use the
1.1.1a libraries and the 1.0.2q capi.dll. However, I am far from an
expert on compiling OpenSSL, so I may have gotten it completely wrong.
Could someone please verify that their CAPI engine is working with
Stunnel? Also, it may be worth trying to compile a 64bit CAPI.dll from
version 1.0.2q just to see if it might start working - in that case, a
bug report to OpenSSL may be in order.
Hello,
I was able to replicate this error with Stunnel 5.50 when trying to
connect to a server built with OpenSSL 1.1.1a.
Stunnel 5.50 (client) correctly connects to a server built with OpenSSL
older than 1.1.1
How did you get 1.0.2q capi.dll to work with OpenSSL 1.1.1a?
I placed 1.0.2q capi.dll in the stunnel/engines folder but it didn’t work.
Best regards,
Małgorzata Olszówka
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
