windows certificate store - stunnel-users

11 Mar 2016


      Hi
I am running a windows instance of stunnel as a client and  A Linux version as the server
When I set this on the Windows side :
engine = capi
and  this in my section:
engineId = capi
I get an error message that CApath or CAFile still needs to be set. My understanding is that these setting should make stunnel use the Windows certificate store to find a root and intermediate certificate to authenticate my (Symantec generated) certificate and should not require a CAfile.
Here is my windows config :
; **************************************************************************
; * Global options                                                         *
; **************************************************************************
; Debugging stuff (may be useful for troubleshooting)
debug = debug
;output = stunnel.log
; Enable FIPS 140-2 mode if needed for compliance
;fips = yes
; Microsoft CryptoAPI engine allows for authentication with private keys
; stored in the Windows certificate store
; Each section using this feature also needs the "engineId = capi" option
engine = capi
[FIX]
client = yes
accept = 9021
connect = fixuat.au.abnamroclearing.com:9443http://fixuat.au.abnamroclearing.com:9443
cert = C:\certs\jim.howland.cer
key = C:\certs\jim.howland.key
verify = 3
; CAfile = C:\certs\veriSign_root_certificates\symantec-class3-G5.cer
engineId = capi
and here is the error
[ ] Cron thread initialized
[ ] No limit detected for the number of clients
[.] stunnel 5.31 on x86-pc-msvc-1500 platform
[.] Compiled/running with OpenSSL 1.0.2g-fips  1 Mar 2016
[.] Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
[ ] errno: (*_errno())
[ ] GUI message loop initialized
[.] Reading configuration from file stunnel.conf
[.] UTF-8 byte order mark detected
[ ] Enabling support for engine "capi"
[ ] Initializing engine #1 (capi)
[ ] Engine #1 (capi) initialized
[.] FIPS mode disabled
[ ] Compression disabled
[ ] Snagged 64 random bytes from C:/.rnd
[ ] Wrote 0 new random bytes to C:/.rnd
[ ] PRNG seeded successfully
[ ] Initializing service [FIX]
[!] Service [FIX]: Either "CAfile" or "CApath" has to be configured
[!] Server is down
Any ideas?
Kind Regards,
Jim Howland | Linux Engineer
ABN AMRO | ABN AMRO Clearing Sydney Pty Ltd
Level 8, 50 Bridge Street | Sydney NSW 2000 | Australia
Tel: +61 (0)2 9151 3124 | Mobile: +61 (0)417 885818 | Internet abnamroclearing.com
********
This message (including any attachments ) is confidential and is intended solely for the use of the individual or entity to whom it is addressed. If you have received this message by mistake please notify the sender by return email and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited.
********