Hello,
I have encountered a bug in Stunnel version 3.50. I have a setup with two computers (Server and Client) connected using Stunnel. The client is using a hardware token through the CAPI engine to authenticate itself to a server, using a config file:
----- fips = no taskbar = yes options = NO_SSLv2 options = NO_SSLv3 sslVersion = TLSv1.2 engine = capi
[my-server] client = yes accept = 22 connect = my.server.com:1234 requireCert = yes verifyChain = yes verifyPeer = yes CAfile = my-cert-chain.pem engineId = capi -----
This setup works perfectly in Stunnel 3.49: When I try to connect to localhost:22, I receive a request to select a certificate and enter its PIN, and if successful, a connection to my server is established.
In Stunnel 3.50, the connection fails to complete. The Stunnel log shows:
LOG5[0]: Service [my-server] accepted connection from 127.0.0.1:49713 LOG5[0]: s_connect: connected 1.2.3.4:1234 LOG5[0]: Service [my-server] connected remote server from 10.11.12.13:49714 LOG5[0]: Certificate accepted at depth=0: CN=My server LOG3[0]: error queue: 141F0006: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib LOG3[0]: SSL_connect: 8006F074: error:8006F074:lib(128):capi_rsa_priv_enc:function not supported LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
However, if I change the engine to the default one and use a certificate in file, everything works fine. That suggests to me that the problem lies in the Stunnel's CAPI engine library.
It is quite possible the problem is caused by the CAPI engine itself. I was experimenting with OpenSSL 1.1.1a some time back, trying to compile my own library files, and I just couldn't to get CAPI to work at all - the libraries themselves compiled OK and worked fine, but the CAPI engine just wouldn't work (while it was OK with OpenSSL 1.0.2q); the only way I could get CAPI to work with OpenSSL 1.1.1a was to use the 1.1.1a libraries and the 1.0.2q capi.dll. However, I am far from an expert on compiling OpenSSL, so I may have gotten it completely wrong.
Could someone please verify that their CAPI engine is working with Stunnel? Also, it may be worth trying to compile a 64bit CAPI.dll from version 1.0.2q just to see if it might start working - in that case, a bug report to OpenSSL may be in order.
Thanks.
pepak
The latest version of stunnel is 5.50. Do you really use version 3.50 ?
Flo
On Fri, Feb 15, 2019 at 8:14 AM pepak@seznam.cz wrote:
Hello,
I have encountered a bug in Stunnel version 3.50. I have a setup with two computers (Server and Client) connected using Stunnel. The client is using a hardware token through the CAPI engine to authenticate itself to a server, using a config file:
fips = no taskbar = yes options = NO_SSLv2 options = NO_SSLv3 sslVersion = TLSv1.2 engine = capi
[my-server] client = yes accept = 22 connect = my.server.com:1234 requireCert = yes verifyChain = yes verifyPeer = yes CAfile = my-cert-chain.pem engineId = capi
This setup works perfectly in Stunnel 3.49: When I try to connect to localhost:22, I receive a request to select a certificate and enter its PIN, and if successful, a connection to my server is established.
In Stunnel 3.50, the connection fails to complete. The Stunnel log shows:
LOG5[0]: Service [my-server] accepted connection from 127.0.0.1:49713 LOG5[0]: s_connect: connected 1.2.3.4:1234 LOG5[0]: Service [my-server] connected remote server from 10.11.12.13:49714 LOG5[0]: Certificate accepted at depth=0: CN=My server LOG3[0]: error queue: 141F0006: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib LOG3[0]: SSL_connect: 8006F074: error:8006F074:lib(128):capi_rsa_priv_enc:function not supported LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
However, if I change the engine to the default one and use a certificate in file, everything works fine. That suggests to me that the problem lies in the Stunnel's CAPI engine library.
It is quite possible the problem is caused by the CAPI engine itself. I was experimenting with OpenSSL 1.1.1a some time back, trying to compile my own library files, and I just couldn't to get CAPI to work at all - the libraries themselves compiled OK and worked fine, but the CAPI engine just wouldn't work (while it was OK with OpenSSL 1.0.2q); the only way I could get CAPI to work with OpenSSL 1.1.1a was to use the 1.1.1a libraries and the 1.0.2q capi.dll. However, I am far from an expert on compiling OpenSSL, so I may have gotten it completely wrong.
Could someone please verify that their CAPI engine is working with Stunnel? Also, it may be worth trying to compile a 64bit CAPI.dll from version 1.0.2q just to see if it might start working - in that case, a bug report to OpenSSL may be in order.
Thanks.
pepak _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Flo Rance -
pepak@seznam.cz