In Windows 10 I have done the following:

1. Created a directory C:\Certificates\ 2. From the Microsoft Management Concole (MMC) I have exported all the "Trusted Root Certificate Authorities\Certificates" as Personal Information exchange .PFX with a passcode 3. Using a Powershell environment, I change directories to C:\Certificates\ and run openssl From the openssl prompt convert the above .PFX file to a .pem file openssl pkcs12 -in All_Trusted.pfx -out All_Trusted.pem -nodes 4. Next I run the following openssl command OpenSSL s_client -CApath c:\Certificates\ -connect api.gainfutures.com:9400 -CAfile All_Trusted.pem

After a bunch of output, I get the notification Verification: OK

This tells me that the verification has passed the remote certificate.

Using this to inform my stunnel configuration, I configure:

[GainFuturesConnect] client = yes accept = 127.0.0.1:8080 connect = 192.111.85.171:9400 CAfile = C:\Certificates\All_Trusted.pem CApath = C:\Certificates\ securityLevel = 1 verifyChain = yes checkHost = api.gainfutures.com:9400 sslVersion = TLSv1.2 sslVersionMax = TLSv1.2 ciphers = DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256

Although the preverification succeeds at each "depth", the verification fails at the end:

CERT: Pre-verification succeeded (**Note, this is a change from before I added the above CAfile and CApath values**) CERT: Subject checks failed Rejected by CERT at depth=0: C=GB, L=London, O=Gain Capital UK Limited, CN=*.gainfutures.com Remove session callback TLS alert (write): fatal: internal error SSL_connect: ssl/statem/statem_clnt.c:2091: error:0A000086:SSL routines::certificate verify failed

So my question becomes two parts:

1. How do I get the Subject checks to pass for CERT; 2. How do I get rid of the TLS "write" alert which is an internal error?

Thank you -William Wood