Client certificate using CAPI - stunnel-users

29 Jan 2017


      Hi!
I am trying to use stunnel to connect to my own server using both a
server and a client certificate. I got the tunnel to work, provided
that the client uses a PEM certificate stored in a file. However, I
would like to use CAPI, because that would allow me to use a smart
card, which I finally got Windows to recognize (a nightmare of its
own). Unfortunately, it seems that the client-side stunnel won't send
a client certificate because the server-side stunnel will always close
the connection with:
SSL_accept: 140890C7: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
My client-side stunnel log shows that server sent some kind of
identification of all the supported client certificates to the client,
but that's all - the client stunnel fails to follow through:
TLS state (connect): SSLv3 read server key exchange A
Client CA: emailAddress=some@email.com, O=Some name, CN=Pepak Yubico 4 White
Client CA: emailAddress=root@email.com, CN=Pepak (root CA)
TLS state (connect): SSLv3 read server certificate request A
TLS state (connect): SSLv3 read server done A
TLS state (connect): SSLv3 write client certificate A
TLS state (connect): SSLv3 write client key exchange A
TLS state (connect): SSLv3 write change cipher spec A
TLS state (connect): SSLv3 write finished A
TLS state (connect): SSLv3 flush data
SSL_connect: Peer suddenly disconnected
As far as I can tell, the CN=Pepak Yubico 4 White matches what my
Windows show as the name of the certificate on the smartcard.
Following up on https://www.stunnel.org/pipermail/stunnel-users/2016-February/005393.html,
I tried to add a "key = Pepak Yubico 4 White" line to the client-side
stunnel's config, but it doesn't seem to have any effect.
What could be the problem?
The client-side config file is:
compression = deflate
debug = debug
fips = no
taskbar = no
options = NO_SSLv2
engine = capi
[echo-client]
client = yes
accept = 3000
connect = 10.0.0.1:30000
requireCert = yes
verifyChain = yes
verifyPeer = yes
CAfile = desktop.pem
engineId = capi
key = Pepak Yubico 4 White
The only suspicious thing that I see is that my client certificate
says that its only purpose is to verify the identity of the remote
computer. Could that be the reason the handshake fails?
Thanks for any help.
Pepak