<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";
mso-fareast-language:EN-AU;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am running a windows instance of stunnel as a client and A Linux version as the server<o:p></o:p></p>
<p class="MsoNormal">When I set this on the Windows side :<o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-AU">engine = capi<o:p></o:p></span></p>
<p class="MsoNormal">and this in my section:<o:p></o:p></p>
<pre style="background:white"><span style="color:black">engineId = capi<o:p></o:p></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I get an error message that CApath or CAFile still needs to be set. My understanding is that these setting should make stunnel use the Windows certificate store to find a root and intermediate certificate to authenticate my (Symantec generated)
certificate and should not require a CAfile.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here is my windows config :<o:p></o:p></p>
<p class="MsoNormal">; **************************************************************************<o:p></o:p></p>
<p class="MsoNormal">; * Global options *<o:p></o:p></p>
<p class="MsoNormal">; **************************************************************************<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">; Debugging stuff (may be useful for troubleshooting)<o:p></o:p></p>
<p class="MsoNormal">debug = debug<o:p></o:p></p>
<p class="MsoNormal">;output = stunnel.log<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">; Enable FIPS 140-2 mode if needed for compliance<o:p></o:p></p>
<p class="MsoNormal">;fips = yes<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">; Microsoft CryptoAPI engine allows for authentication with private keys<o:p></o:p></p>
<p class="MsoNormal">; stored in the Windows certificate store<o:p></o:p></p>
<p class="MsoNormal">; Each section using this feature also needs the "engineId = capi" option<o:p></o:p></p>
<p class="MsoNormal">engine = capi<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[FIX]<o:p></o:p></p>
<p class="MsoNormal">client = yes<o:p></o:p></p>
<p class="MsoNormal">accept = 9021<o:p></o:p></p>
<p class="MsoNormal">connect = <a href="http://fixuat.au.abnamroclearing.com:9443">
fixuat.au.abnamroclearing.com:9443</a><o:p></o:p></p>
<p class="MsoNormal">cert = C:\certs\jim.howland.cer<o:p></o:p></p>
<p class="MsoNormal">key = C:\certs\jim.howland.key<o:p></o:p></p>
<p class="MsoNormal">verify = 3<o:p></o:p></p>
<p class="MsoNormal">; CAfile = C:\certs\veriSign_root_certificates\symantec-class3-G5.cer<o:p></o:p></p>
<p class="MsoNormal">engineId = capi<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">and here is the error<o:p></o:p></p>
<p class="MsoNormal">[ ] Cron thread initialized<o:p></o:p></p>
<p class="MsoNormal">[ ] No limit detected for the number of clients<o:p></o:p></p>
<p class="MsoNormal">[.] stunnel 5.31 on x86-pc-msvc-1500 platform<o:p></o:p></p>
<p class="MsoNormal">[.] Compiled/running with OpenSSL 1.0.2g-fips 1 Mar 2016<o:p></o:p></p>
<p class="MsoNormal">[.] Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI<o:p></o:p></p>
<p class="MsoNormal">[ ] errno: (*_errno())<o:p></o:p></p>
<p class="MsoNormal">[ ] GUI message loop initialized<o:p></o:p></p>
<p class="MsoNormal">[.] Reading configuration from file stunnel.conf<o:p></o:p></p>
<p class="MsoNormal">[.] UTF-8 byte order mark detected<o:p></o:p></p>
<p class="MsoNormal">[ ] Enabling support for engine "capi"<o:p></o:p></p>
<p class="MsoNormal">[ ] Initializing engine #1 (capi)<o:p></o:p></p>
<p class="MsoNormal">[ ] Engine #1 (capi) initialized<o:p></o:p></p>
<p class="MsoNormal">[.] FIPS mode disabled<o:p></o:p></p>
<p class="MsoNormal">[ ] Compression disabled<o:p></o:p></p>
<p class="MsoNormal">[ ] Snagged 64 random bytes from C:/.rnd<o:p></o:p></p>
<p class="MsoNormal">[ ] Wrote 0 new random bytes to C:/.rnd<o:p></o:p></p>
<p class="MsoNormal">[ ] PRNG seeded successfully<o:p></o:p></p>
<p class="MsoNormal">[ ] Initializing service [FIX]<o:p></o:p></p>
<p class="MsoNormal">[!] Service [FIX]: Either "CAfile" or "CApath" has to be configured<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[!] Server is down<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any ideas?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span lang="EN-GB" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#4F4F4F;mso-fareast-language:EN-AU">Kind Regards,<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#4F4F4F;mso-fareast-language:EN-AU">Jim Howland</span></b><span lang="EN-GB" style="color:#1F497D;mso-fareast-language:EN-AU">
</span><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#4F4F4F;mso-fareast-language:EN-AU">| Linux Engineer</span><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#4F4F4F;mso-fareast-language:EN-AU"><br>
ABN AMRO |</span><span lang="EN-GB" style="color:#1F497D;mso-fareast-language:EN-AU">
</span><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#404040;mso-fareast-language:EN-AU">ABN AMRO Clearing Sydney Pty Ltd</span><span style="color:#1F497D;mso-fareast-language:EN-AU">
</span><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#4F4F4F;mso-fareast-language:EN-AU"><br>
Level 8, 50 Bridge Street | Sydney NSW 2000 | Australia<br>
Tel: +61 (0)2 9151 3124 | Mobile: +61 (0)417 885818 | Internet</span><span lang="EN-GB" style="color:#1F497D;mso-fareast-language:EN-AU">
</span><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#404040;mso-fareast-language:EN-AU">abnamroclearing.com</span><span style="color:#1F4E79;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p>********<br>
This message (including any attachments ) is confidential and is intended solely for the use of the individual or entity to whom it is addressed. If you have received this message by mistake please notify the sender by return email and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited.<br>
********</p></body>
</html>