[stunnel-users] Target version/timeframe for drawing identity certs from Windows cert store?

Michal Trojnara Michal.Trojnara at mirt.net
Wed Sep 22 19:32:30 CEST 2010


Hi David,

Yes, OpenSSL has recently added a functionality called "capi engine" that should allow to use Windows Certificate Store in stunnel. Unfortunately it currently only seems to work with OpenSSL compiled with MSVC and not gcc.

My options are:
1. Wait for OpenSSL to fix this issue or for someone to find a workaround.  I tried to get it working and I failed.
2. Switch to OpenSSL compiled with MSVC. That's inconvenient, but since your company makes money on stunnel it could probably use some of them to convince me to implement such a change.

I agree selection of certificate should be implemented as service-level option. As you probably know each service-level option can also be specified in global section as a default for all service sections.

Starting stunnel from login script is not a problem.

Best regards,
  Mike

"Bucci, David G" <david.g.bucci at lmco.com> napisał:

>Hi - in an exchange last week, Michal, it sounded like you might be planning on adding the capability/option to the Windows version to select an identity certificate from the Windows certificate store (because it turns out OpenSSL added some supporting infrastructure for doing so, if I understood correctly).
>
>For planning purposes, do you have any sense yet of whether that's really going to happen, and in what timeframe or what target version?
>
>I think that'd be a change of high interest to a lot of people ... one suggestion, it would help integrators if there was a way to configure a msg into whatever selection dialog that comes up, asking the user to select a certificate from their identity store.  Thinking out loud -- probably also, in the case where multiple client tunnels are being set up, a way to make it either a global selection (for all client services), or a service specific selection -- hmm, though global only is probably fine, thinking about, since an integrator could always create a 2nd config, if a 2nd tunnel is needed 
>
>Thinking further, you would probably want to be careful that it would work early on during login, since I imagine like us, integrators would want to start it from a user's Startup folder, or from a login script.  I don't know Windows well enough to know if that constrains you (if the window mgr is up during login script exec, etc.).
>
>Thx!
>
>----
>David G. Bucci
>
>If you can't think of anything kind to say,
>could you at least have the decency to be vague?
>
>_______________________________________________
>stunnel-users mailing list
>stunnel-users at mirt.net
>http://stunnel.mirt.net/mailman/listinfo/stunnel-users

-- 
Wysłane z Androida za pomocą K-9 Mail. Prosze wybaczyć lakoniczność.



More information about the stunnel-users mailing list