<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office"><head><!--[if gte mso 9]><xml><o:OfficeDocumentSettings><o:AllowPNG/><o:PixelsPerInch>96</o:PixelsPerInch></o:OfficeDocumentSettings></xml><![endif]--></head><body><div class="ydp32f0f574yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
        <div dir="ltr" data-setdir="false">Michael,</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Answers below:</div><div dir="ltr" data-setdir="false"><br></div><div><br></div>
        
        </div><div id="ydpf97bc5d5yahoo_quoted_1963029058" class="ydpf97bc5d5yahoo_quoted">
            <div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
                
                <div>>On Wednesday, June 3, 2020, 05:22:19 AM GMT-5, Michael S. Chusovitin <tchuss@gmail.com> wrote:
                </div>
                <div><br></div>
                <div><br></div>
                <div><div id="ydpf97bc5d5yiv5951367048"><div dir="ltr">
<div>>No luck. The downloaded stunnel 5.56 behaves exactly as 5.48 - it logs 
"<span lang="EN-US">CAPI_GET_KEY:cryptacquirecontext error"</span>

 or >"<span lang="EN-US">CAPI_CTX_SET_PROVNAME:cryptacquirecontext error"<b> </b>(depending on selected csp_name and csp_type)<b>.<br clear="none"></b></span></div><div dir="ltr" data-setdir="false"><span><span style="color: rgb(38, 40, 42); font-family: Helvetica Neue, Helvetica, Arial, sans-serif;">></span></span>Did anyone succeed in getting stunnel+capi work for TLS 1.2 ?</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Unlikely. Maybe with OpenSSL 1.0. See below.</div><div><br></div><div>>Maybe some OpenSSL configuration commands could help... But I cannot imagine what.</div><div>>And I did see "You also need to disable TLS 1.2 or later because the CryptoAPI engine currently does not support PSS" phrase in sample >stunnel.conf - isn't it an obsolete restriction?</div><div><br clear="none"></div><div><br></div><div dir="ltr" data-setdir="false"><div dir="ltr" data-setdir="false">No. It is a restriction in OpenSSL 1.1.x that won't be fixed. See <a href="https://github.com/openssl/openssl/issues/8872" rel="nofollow" target="_blank">https://github.com/openssl/openssl/issues/8872</a></div><div dir="ltr" data-setdir="false"><br></div>However, in the thread it seems the CAPI engine in OpenSSL 1.0.x works with TLS 1.2... So, Maybe an stunnel compiled against the deprecated OpenSSL 1.0.2 could give better results in your case...</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Regards,</div><div dir="ltr" data-setdir="false">Jose</div><div><br></div><div><br></div></div><div class="ydpf97bc5d5yiv5951367048yqt2557559579" id="ydpf97bc5d5yiv5951367048yqt97609"><div class="ydpf97bc5d5yiv5951367048gmail_quote"><div class="ydpf97bc5d5yiv5951367048gmail_attr" dir="ltr">On Wed, Jun 3, 2020 at 12:13 AM Jose Alf. <<a shape="rect" href="mailto:josealf@rocketmail.com" rel="nofollow" target="_blank">josealf@rocketmail.com</a>> wrote:<br clear="none"></div><blockquote class="ydpf97bc5d5yiv5951367048gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex;"><div><div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
        <div dir="ltr">Hi Michael,</div><div dir="ltr"><br clear="none"></div><div dir="ltr">See below:</div><div><br clear="none"></div>
        
        </div><div id="ydpf97bc5d5yiv5951367048gmail-m_-2866598122373902680ydp9381a55byahoo_quoted_1895285137">
            <div style="font-size:13px;color:rgb(38,40,42);">
                
                <div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;">
                    On Tuesday, June 2, 2020, 10:42:30 AM GMT-5, Michael S. Chusovitin <<a shape="rect" href="mailto:tchuss@gmail.com" rel="nofollow" target="_blank">tchuss@gmail.com</a>> wrote:
                </div>
                <div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;"><br clear="none"></div>
                <div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;"><br clear="none"></div><div><div id="ydpf97bc5d5yiv5951367048gmail-m_-2866598122373902680ydp9381a55byiv0229049510"><div dir="ltr"><div><div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;"><span lang="EN-US">> Stunnel version is 5.48 with OpenSSL 1.0.2o-fips. (in this very case I need to use 32bit version, so no possibility to upgrade).<br clear="none"></span></div><div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;"><span lang="EN-US"><br clear="none"></span></div><div dir="ltr"><span lang="EN-US">Actually, you can upgrade your Windows 32-bit stunnel. Either, you compile your own, or you can get the latest from here:</span></div><div dir="ltr"><span lang="EN-US"><br clear="none"></span></div><div dir="ltr"><div><div><a shape="rect" href="https://github.com/josealf/stunnel-win32/blob/master/stunnel-testing-win32-5.56-ossl-1.1.1g-installer.exe" rel="nofollow" target="_blank" class="enhancr_card_1860694046">josealf/stunnel-win32</a></div><div><br></div><div id="ydpf8f4941benhancr_card_1860694046" class="ydpf8f4941byahoo-link-enhancr-card ydpf8f4941bymail-preserve-class ydpf8f4941bymail-preserve-style" style="max-width:400px;font-family:YahooSans, Helvetica Neue, Segoe UI, Helvetica, Arial, sans-serif" data-url="https://github.com/josealf/stunnel-win32/blob/master/stunnel-testing-win32-5.56-ossl-1.1.1g-installer.exe" data-type="YENHANCER" data-size="MEDIUM" contenteditable="false"><a href="https://github.com/josealf/stunnel-win32/blob/master/stunnel-testing-win32-5.56-ossl-1.1.1g-installer.exe" style="text-decoration:none !important;color:#000 !important" class="ydpf8f4941byahoo-enhancr-cardlink" rel="nofollow" target="_blank"><table border="0" class="ydpf8f4941bcard-wrapper ydpf8f4941byahoo-ignore-table" cellpadding="0" cellspacing="0" style="max-width:400px"><tbody><tr><td width="400"><table border="0" class="ydpf8f4941bcard ydpf8f4941byahoo-ignore-table" cellpadding="0" cellspacing="0" width="100%" style="max-width:400px;border-width:1px;border-style:solid;border-color:rgb(224, 228, 233);border-radius:2px"><tbody><tr><td class="ydpf8f4941bcard-primary-image-cell" background="https://s.yimg.com/lo/api/res/1.2/84686MEpauU6P9I2PFftIA--~A/Zmk9ZmlsbDt3PTQwMDtoPTIwMDthcHBpZD1pZXh0cmFjdA--/https://avatars1.githubusercontent.com/u/4110587?s=400&v=4.cf.jpg" bgcolor="#000000" valign="top" height="175" style="background-color: rgb(0, 0, 0); background-size: cover; position: relative; border-radius: 2px 2px 0px 0px; min-height: 175px;"><!--[if gte mso 9]><v:rect fill="true" stroke="false" style="width:396px;height:175px;position:absolute;top:0;left:0;"><v:fill type="frame" color="#000000" src="https://s.yimg.com/lo/api/res/1.2/84686MEpauU6P9I2PFftIA--~A/Zmk9ZmlsbDt3PTQwMDtoPTIwMDthcHBpZD1pZXh0cmFjdA--/https://avatars1.githubusercontent.com/u/4110587?s=400&v=4.cf.jpg"/></v:rect><![endif]--><table border="0" class="ydpf8f4941bcard-overlay-container-table ydpf8f4941byahoo-ignore-table" cellpadding="0" cellspacing="0" style="width:100%"><tbody><tr><td class="ydpf8f4941bcard-overlay-cell" background="https://s.yimg.com/cv/ae/nq/storm/assets/enhancrV21/1/enhancr_gradient-400x175.png" bgcolor="transparent" valign="top" style="background-color: transparent; border-radius: 2px 2px 0px 0px; min-height: 175px;"><!--[if gte mso 9]><v:rect fill="true" stroke="false" style="width:396px;height:175px;position:absolute;top:-18px;left:0;"><v:fill type="pattern" color="#000000" src="https://s.yimg.com/cv/ae/nq/storm/assets/enhancrV21/1/enhancr_gradient-400x175.png"/><v:textbox inset="0,0,20px,0"><![endif]--><table border="0" class="ydpf8f4941byahoo-ignore-table" height="175" style="width: 100%; min-height: 175px;"><tbody><tr><td class="ydpf8f4941bcard-richInfo2" style="text-align:left;padding:15px 0 0 15px;vertical-align:top"></td><td class="ydpf8f4941bcard-actions" style="text-align:right;padding:15px 15px 0 0;vertical-align:top"><div class="ydpf8f4941bcard-share-container"></div></td></tr></tbody></table><!--[if gte mso 9]></v:textbox></v:rect><![endif]--></td></tr></tbody></table></td></tr><tr><td><table border="0" align="center" class="ydpf8f4941bcard-info ydpf8f4941byahoo-ignore-table" cellpadding="0" cellspacing="0" style="background:#fff;position:relative;z-index:2;width:100%;max-width:400px;border-radius:0 0 2px 2px;border-top:1px solid rgb(224, 228, 233)"><tbody><tr><td style="background-color:#ffffff;padding:16px 0 16px 12px;vertical-align:top;border-radius:0 0 0 2px"><img class="ydpf8f4941bcard-object-1 ydpf8f4941byahoo-ignore-inline-image ydpf8f4941bymail-preserve-class" src="https://s.yimg.com/nq/storm/assets/enhancrV2/23/logos/github.png" height="36" style="min-width:36px;margin-top:3px"></td><td style="vertical-align:middle;padding:12px 24px 16px 12px;width:99%;font-family:YahooSans, Helvetica Neue, Segoe UI, Helvetica, Arial, sans-serif;border-radius:0 0 2px 0"><h2 class="ydpf8f4941bcard-title" style="font-size: 14px; line-height: 19px; margin: 0px 0px 6px; font-family: YahooSans, Helvetica Neue, Segoe UI, Helvetica, Arial, sans-serif; color: rgb(38, 40, 42); max-width: 314px;">josealf/stunnel-win32</h2><p class="ydpf8f4941bcard-description" style="font-size: 12px; line-height: 16px; margin: 0px; color: rgb(151, 155, 167);">Binaries for Stunnel for Win32. Contribute to josealf/stunnel-win32 development by creating an account on GitHub.</p></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></a></div><div><br></div><div><br></div><div><br clear="none"></div></div></div><div dir="ltr" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;">Regards,</div><div dir="ltr" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;">Jose</div></div></div></div></div>
            </div>
        </div></div></blockquote></div></div></div><div class="ydpf97bc5d5yqt2557559579" id="ydpf97bc5d5yqt37978">_______________________________________________<br clear="none">stunnel-users mailing list<br clear="none"><a shape="rect" href="mailto:stunnel-users@stunnel.org" rel="nofollow" target="_blank">stunnel-users@stunnel.org</a><br clear="none"><a shape="rect" href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" rel="nofollow" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br clear="none"></div></div>
            </div>
        </div></body></html>