CAPI engine seems to break server validation
Jakob Bohm
jb-openssl at wisemo.com
Fri Oct 23 15:33:53 UTC 2020
On 2020-10-23 15:45, Matt Caswell wrote:
>
> On 23/10/2020 14:10, Brett Stahlman wrote:
>> It seems that the CAPI engine is breaking the server verification somehow.
>> Note that the only reason I'm using the ca-bundle.crt is that I couldn't
>> figure out how to get CAPI to load the Windows "ROOT" certificate
>> store, which contains the requisite CA certs. Ideally, server
>> authentication would use the CA certs in the Windows "ROOT" store, and
>> client authentication would use the certs in the Windows "MY" store, but
>> CAPI doesn't appear to be loading either one.
> This is probably the following issue:
>
> https://github.com/openssl/openssl/issues/8872
>
> Matt
Looking at the brutal wontfixing of that bug, maybe reconsider if the
existing engine interface can do PSS by simply having the CAPI/CAPIng
engine export the generic PKEY type for PSS-capable RSA keys. Also,
maybe use a compatible stronger CAPI "provider" (their engines) to do
stronger hashes etc.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list