Dear stunnel users,
whereas Stunnel itself looks fine for me, it seems to have some troubles with CAPI engine. The one I cannot manage still is *"CAPI_GET_KEY:cryptacquirecontext error"* logged when attempting to export the client's key.
I tried to add *"engineCtrl = csp_name:Microsoft Enhanced RSA and AES Cryptographic Provider"* to stunnel.conf, and then *"CAPI_**CTX_SET_PROVNAME:**cryptacquirecontext error"* was logged instead of the above one.
The same certificate is used happily with no-capi configuration. I suppose the problem is somehow related to sha256 signature in the certificate. Are there any chances to workaround?
Stunnel version is 5.48 with OpenSSL 1.0.2o-fips. (in this very case I need to use 32bit version, so no possibility to upgrade).
Thanks!
Hi Michael, See below: On Tuesday, June 2, 2020, 10:42:30 AM GMT-5, Michael S. Chusovitin tchuss@gmail.com wrote:
Stunnel version is 5.48 with OpenSSL 1.0.2o-fips. (in this very case I need to use 32bit version, so no possibility to upgrade).
Actually, you can upgrade your Windows 32-bit stunnel. Either, you compile your own, or you can get the latest from here: https://github.com/josealf/stunnel-win32/blob/master/stunnel-testing-win32-5... Regards,Jose
Jose,
Great thanks! It's much simpler for me to try yours than to compile myself.
Regards, Michael
On Wed, Jun 3, 2020 at 12:13 AM Jose Alf. josealf@rocketmail.com wrote:
Hi Michael,
See below:
On Tuesday, June 2, 2020, 10:42:30 AM GMT-5, Michael S. Chusovitin < tchuss@gmail.com> wrote:
Stunnel version is 5.48 with OpenSSL 1.0.2o-fips. (in this very case I
need to use 32bit version, so no possibility to upgrade).
Actually, you can upgrade your Windows 32-bit stunnel. Either, you compile your own, or you can get the latest from here:
https://github.com/josealf/stunnel-win32/blob/master/stunnel-testing-win32-5...
Regards, Jose
No luck. The downloaded stunnel 5.56 behaves exactly as 5.48 - it logs "CAPI_GET_KEY:cryptacquirecontext error" or "CAPI_CTX_SET_PROVNAME:cryptacquirecontext error" (depending on selected csp_name and csp_type) *.* Did anyone succeed in getting stunnel+capi work for TLS 1.2 ? Maybe some OpenSSL configuration commands could help... But I cannot imagine what. And I did see "You also need to disable TLS 1.2 or later because the CryptoAPI engine currently does not support PSS" phrase in sample stunnel.conf - isn't it an obsolete restriction?
Thanks in advance, Michael
On Wed, Jun 3, 2020 at 12:13 AM Jose Alf. josealf@rocketmail.com wrote:
Hi Michael,
See below:
On Tuesday, June 2, 2020, 10:42:30 AM GMT-5, Michael S. Chusovitin < tchuss@gmail.com> wrote:
Stunnel version is 5.48 with OpenSSL 1.0.2o-fips. (in this very case I
need to use 32bit version, so no possibility to upgrade).
Actually, you can upgrade your Windows 32-bit stunnel. Either, you compile your own, or you can get the latest from here:
https://github.com/josealf/stunnel-win32/blob/master/stunnel-testing-win32-5...
Regards, Jose
Michael, Answers below:
On Wednesday, June 3, 2020, 05:22:19 AM GMT-5, Michael S. Chusovitin tchuss@gmail.com wrote:
No luck. The downloaded stunnel 5.56 behaves exactly as 5.48 - it logs "CAPI_GET_KEY:cryptacquirecontext error" or >"CAPI_CTX_SET_PROVNAME:cryptacquirecontext error" (depending on selected csp_name and csp_type). Did anyone succeed in getting stunnel+capi work for TLS 1.2 ?
Unlikely. Maybe with OpenSSL 1.0. See below.
Maybe some OpenSSL configuration commands could help... But I cannot imagine what.>And I did see "You also need to disable TLS 1.2 or later because the CryptoAPI engine currently does not support PSS" phrase in sample >stunnel.conf - isn't it an obsolete restriction?
No. It is a restriction in OpenSSL 1.1.x that won't be fixed. See https://github.com/openssl/openssl/issues/8872 However, in the thread it seems the CAPI engine in OpenSSL 1.0.x works with TLS 1.2... So, Maybe an stunnel compiled against the deprecated OpenSSL 1.0.2 could give better results in your case... Regards,Jose
On Wed, Jun 3, 2020 at 12:13 AM Jose Alf. josealf@rocketmail.com wrote:
Hi Michael, See below: On Tuesday, June 2, 2020, 10:42:30 AM GMT-5, Michael S. Chusovitin tchuss@gmail.com wrote:
Stunnel version is 5.48 with OpenSSL 1.0.2o-fips. (in this very case I need to use 32bit version, so no possibility to upgrade).
Actually, you can upgrade your Windows 32-bit stunnel. Either, you compile your own, or you can get the latest from here: josealf/stunnel-win32
| | | | | |
|
| | | | josealf/stunnel-win32
Binaries for Stunnel for Win32. Contribute to josealf/stunnel-win32 development by creating an account on GitHub. |
|
|
Regards,Jose _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Thank you Jose. Disappointing but useful to know...
Regards, Michael
On Wed, Jun 3, 2020 at 3:00 PM Jose Alf. josealf@rocketmail.com wrote:
Michael,
Answers below:
On Wednesday, June 3, 2020, 05:22:19 AM GMT-5, Michael S. Chusovitin <
tchuss@gmail.com> wrote:
No luck. The downloaded stunnel 5.56 behaves exactly as 5.48 - it logs "CAPI_GET_KEY:cryptacquirecontext
error" or >"CAPI_CTX_SET_PROVNAME:cryptacquirecontext error" (depending on selected csp_name and csp_type) *.*
Did anyone succeed in getting stunnel+capi work for TLS 1.2 ?
Unlikely. Maybe with OpenSSL 1.0. See below.
Maybe some OpenSSL configuration commands could help... But I cannot
imagine what.
And I did see "You also need to disable TLS 1.2 or later because the
CryptoAPI engine currently does not support PSS" phrase in sample
stunnel.conf - isn't it an obsolete restriction?
No. It is a restriction in OpenSSL 1.1.x that won't be fixed. See https://github.com/openssl/openssl/issues/8872
However, in the thread it seems the CAPI engine in OpenSSL 1.0.x works with TLS 1.2... So, Maybe an stunnel compiled against the deprecated OpenSSL 1.0.2 could give better results in your case...
Regards, Jose
On Wed, Jun 3, 2020 at 12:13 AM Jose Alf. josealf@rocketmail.com wrote:
Hi Michael,
See below:
On Tuesday, June 2, 2020, 10:42:30 AM GMT-5, Michael S. Chusovitin < tchuss@gmail.com> wrote:
Stunnel version is 5.48 with OpenSSL 1.0.2o-fips. (in this very case I
need to use 32bit version, so no possibility to upgrade).
Actually, you can upgrade your Windows 32-bit stunnel. Either, you compile your own, or you can get the latest from here:
josealf/stunnel-win32 https://github.com/josealf/stunnel-win32/blob/master/stunnel-testing-win32-5.56-ossl-1.1.1g-installer.exe
josealf/stunnel-win32
Binaries for Stunnel for Win32. Contribute to josealf/stunnel-win32 development by creating an account on GitHub.
Regards, Jose
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Jose Alf. -
Michael S. Chusovitin