Stunnel in server mode with certificate from the Windows Certificate Store - stunnel-users

6 Mar 2018


      Hello,
I'm trying to use stunnel in server mode with certificates from the Windows Certificate Store.
I have a basic configuration which is working with a PEM certificate file and I'm trying to get it
to use a cert via the CAPI engine.
Here is my basic (working) config:
debug = debug
output = C:\stunnel\stunnel.log
options = -NO_SSLv3
[https]
accept  = 443
connect = 80
cert = stunnel.pem
Here is my config using the CAPI engine:
debug = debug
output = C:\stunnel\stunnel.log
engine = capi
engineCtrl = debug_level:2
engineCtrl = debug_file:c:\stunnel\capi.log
engineCtrl = store_flags:1
engineCtrl = list_certs
options = -NO_SSLv3
[https]
accept  = 443
connect = 80
engineId = capi
However stunnel does not seem to find a certificate to use:
[...]
2018.03.06 10:22:05 LOG7[main]: Enabling support for engine "capi"
2018.03.06 10:22:05 LOG7[main]: Executing engine control command debug_level:2
2018.03.06 10:22:05 LOG7[main]: Executing engine control command debug_file:c:\stunnel\capi.log
2018.03.06 10:22:05 LOG7[main]: Executing engine control command store_flags:1
2018.03.06 10:22:05 LOG7[main]: Executing engine control command list_certs
2018.03.06 10:22:05 LOG7[main]: Initializing engine #1 (capi)
2018.03.06 10:22:05 LOG6[main]: Engine #1 (capi) initialized
[...]
2018.03.06 10:22:05 LOG6[main]: Initializing service [https]
2018.03.06 10:22:05 LOG7[main]: Ciphers: HIGH:!DH:!aNULL:!SSLv2
2018.03.06 10:22:05 LOG7[main]: TLS options: 0x01004004 (+0x03004000, -0x02000000)
2018.03.06 10:22:05 LOG7[main]: No certificate or private key specified
[...]
And I have no certificates listed in the CAPI debug log:
Setting debug level to 2
Setting debug file to c:\stunnel\capi.log
Setting flags to 1
Listing certs for store MY
Opening certificate store MY
capi_cert_get_fname
When I load the engine via OpenSSL, I can see that a certificate is present in the store:
C:\stunnel\bin>openssl.exe engine -t dynamic -pre "SO_PATH:C:\stunnel\engines\capi.dll" -pre LOAD -post store_flags:1 -post store_name:MY -post list_certs
WARNING: can't open config file: /devel/win32/openssl/openssl.cnf
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:C:\stunnel\engines\capi.dll
[Success]: LOAD
Loaded: (capi) CryptoAPI ENGINE
     [ available ]
[Success]: store_flags:1
Certificate 0
  Friendly Name "test"
  Subject: CN = test
  Issuer: CN = test
[Success]: list_certs
This certificate (and the associated private key) has been generated via the IIS Manager console and I have imported it in the Local Computer Store (with the private key).
Does anybody have any idea what I am missing to get this to work ?
I can provide more logs and run more tests if necessary.
I'm using Stunnel 5.44 on Windows 2008 R2. I tried with an older version (5.40) but same problem.
Thanks.
Kevin