No luck. The downloaded stunnel 5.56 behaves exactly as 5.48 - it logs "CAPI_GET_KEY:cryptacquirecontext error" or "CAPI_CTX_SET_PROVNAME:cryptacquirecontext error" (depending on selected csp_name and csp_type).

Did anyone succeed in getting stunnel+capi work for TLS 1.2 ?

Maybe some OpenSSL configuration commands could help... But I cannot imagine what.

And I did see "You also need to disable TLS 1.2 or later because the CryptoAPI engine currently does not support PSS" phrase in sample stunnel.conf - isn't it an obsolete restriction?

Thanks in advance,

Michael

On Wed, Jun 3, 2020 at 12:13 AM Jose Alf. <josealf@rocketmail.com> wrote:

Hi Michael,

See below:

On Tuesday, June 2, 2020, 10:42:30 AM GMT-5, Michael S. Chusovitin <tchuss@gmail.com> wrote:

> Stunnel version is 5.48 with OpenSSL 1.0.2o-fips. (in this very case I need to use 32bit version, so no possibility to upgrade).

Actually, you can upgrade your Windows 32-bit stunnel. Either, you compile your own, or you can get the latest from here:

https://github.com/josealf/stunnel-win32/blob/master/stunnel-testing-win32-5.56-ossl-1.1.1g-installer.exe

Regards,
Jose