[stunnel-users] Stunnel 3.50 Win - CAPI stopped working

pepak at seznam.cz pepak at seznam.cz
Fri Feb 15 08:13:46 CET 2019


Hello,

I have encountered a bug in Stunnel version 3.50. I have a setup with 
two computers (Server and Client) connected using Stunnel. The client is 
using a hardware token through the CAPI engine to authenticate itself to 
a server, using a config file:

-----
fips = no
taskbar = yes
options = NO_SSLv2
options = NO_SSLv3
sslVersion = TLSv1.2
engine = capi

[my-server]
client = yes
accept = 22
connect = my.server.com:1234
requireCert = yes
verifyChain = yes
verifyPeer = yes
CAfile = my-cert-chain.pem
engineId = capi
-----

This setup works perfectly in Stunnel 3.49: When I try to connect to 
localhost:22, I receive a request to select a certificate and enter its 
PIN, and if successful, a connection to my server is established.

In Stunnel 3.50, the connection fails to complete. The Stunnel log shows:

LOG5[0]: Service [my-server] accepted connection from 127.0.0.1:49713
LOG5[0]: s_connect: connected 1.2.3.4:1234
LOG5[0]: Service [my-server] connected remote server from 10.11.12.13:49714
LOG5[0]: Certificate accepted at depth=0: CN=My server
LOG3[0]: error queue: 141F0006: error:141F0006:SSL 
routines:tls_construct_cert_verify:EVP lib
LOG3[0]: SSL_connect: 8006F074: 
error:8006F074:lib(128):capi_rsa_priv_enc:function not supported
LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

However, if I change the engine to the default one and use a certificate 
in file, everything works fine. That suggests to me that the problem 
lies in the Stunnel's CAPI engine library.

It is quite possible the problem is caused by the CAPI engine itself. I 
was experimenting with OpenSSL 1.1.1a some time back, trying to compile 
my own library files, and I just couldn't to get CAPI to work at all - 
the libraries themselves compiled OK and worked fine, but the CAPI 
engine just wouldn't work (while it was OK with OpenSSL 1.0.2q); the 
only way I could get CAPI to work with OpenSSL 1.1.1a was to use the 
1.1.1a libraries and the 1.0.2q capi.dll. However, I am far from an 
expert on compiling OpenSSL, so I may have gotten it completely wrong.

Could someone please verify that their CAPI engine is working with 
Stunnel? Also, it may be worth trying to compile a 64bit CAPI.dll from 
version 1.0.2q just to see if it might start working - in that case, a 
bug report to OpenSSL may be in order.

Thanks.

pepak


More information about the stunnel-users mailing list