>On Wednesday, June 3, 2020, 05:22:19 AM GMT-5, Michael S. Chusovitin <tchuss@gmail.com> wrote:

>No luck. The downloaded stunnel 5.56 behaves exactly as 5.48 - it logs "CAPI_GET_KEY:cryptacquirecontext error" or >"CAPI_CTX_SET_PROVNAME:cryptacquirecontext error" (depending on selected csp_name and csp_type).

>Did anyone succeed in getting stunnel+capi work for TLS 1.2 ?

Unlikely. Maybe with OpenSSL 1.0. See below.

>Maybe some OpenSSL configuration commands could help... But I cannot imagine what.

>And I did see "You also need to disable TLS 1.2 or later because the CryptoAPI engine currently does not support PSS" phrase in sample >stunnel.conf - isn't it an obsolete restriction?

No. It is a restriction in OpenSSL 1.1.x that won't be fixed. See https://github.com/openssl/openssl/issues/8872

However, in the thread it seems the CAPI engine in OpenSSL 1.0.x works with TLS 1.2... So, Maybe an stunnel compiled against the deprecated OpenSSL 1.0.2 could give better results in your case...

Regards,

Jose

On Wed, Jun 3, 2020 at 12:13 AM Jose Alf. <josealf@rocketmail.com> wrote:

Hi Michael,

See below:

On Tuesday, June 2, 2020, 10:42:30 AM GMT-5, Michael S. Chusovitin <tchuss@gmail.com> wrote:

> Stunnel version is 5.48 with OpenSSL 1.0.2o-fips. (in this very case I need to use 32bit version, so no possibility to upgrade).

Actually, you can upgrade your Windows 32-bit stunnel. Either, you compile your own, or you can get the latest from here:

josealf/stunnel-win32

josealf/stunnel-win32
Binaries for Stunnel for Win32. Contribute to josealf/stunnel-win32 development by creating an account on GitHub.

Regards,
Jose

_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users