On 2020-10-23 15:45, Matt Caswell wrote:
On 23/10/2020 14:10, Brett Stahlman wrote:
It seems that the CAPI engine is breaking the server verification somehow.
Note that the only reason I'm using the ca-bundle.crt is that I couldn't
figure out how to get CAPI to load the Windows "ROOT" certificate
store, which contains the requisite CA certs. Ideally, server
authentication would use the CA certs in the Windows "ROOT" store, and
client authentication would use the certs in the Windows "MY" store, but
CAPI doesn't appear to be loading either one.
This is probably the following issue:
https://github.com/openssl/openssl/issues/8872
Matt
Looking at the brutal wontfixing of that bug, maybe reconsider if the
existing engine interface can do PSS by simply having the CAPI/CAPIng
engine export the generic PKEY type for PSS-capable RSA keys. Also,
maybe use a compatible stronger CAPI "provider" (their engines) to do
stronger hashes etc.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
