[stunnel-users] Client certificate using CAPI
Małgorzata Olszówka
gosia at olszowka.net
Wed Feb 1 10:55:25 CET 2017
Hello,
I noticed the following logs:
2017.01.31 18:24:27 LOG3[0]: error queue: 14099006: error:14099006:SSL
routines:ssl3_send_client_verify:EVP lib
2017.01.31 18:24:27 LOG3[0]: SSL_connect: 80070063:
error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object
The capi ENGINE in OpenSSL 1.0.2 and earlier uses the CSP attached
to the key for cryptographic operations. Unfortunately this means that
SHA2 algorithms are not supported for client authentication.
OpenSSL 1.1.0 adds a workaround for this issue. If you disable TLS 1.2
in earlier versions of OpenSSL it will not use SHA2 for client auth so
that will also work.
So try to set the global option:
sslVersion = TLSv1.1
Regards.
More information about the stunnel-users
mailing list