Возможно сказалась использованная в stunnel-standalone-msspi.exe редакция OpenSSL
для версии 5.40 это openssl-1.0.2k-gost
для версии 5.41 это openssl-1.0.2k-gost-0.9
Поправьте меня, если я ошибаюсь.
Но как в таком случае вычислить правильную версию для подключения для меня пока осталось загадкой.
Пытался опереться на отклик утилиты csptest
>csptest -tlsc -server "test.rb-ei.com" -port 443 file "/cpuEnquiry.asp" -user "Тестовый пользователь 2017" -v
csptest -tlsc -server test.rb-ei.com -port 443 -user Тестовый пользователь 2017
-v file /cpuEnquiry.asp
Client certificate:
Subject: E=cs@bki-okb.ru, C=RU, L=Москва, O=ЗАО ОКБ, CN=Тестовый пользователь 20
17, T=Тестовый пользователь
Valid : 10.04.2017 12:54:00 - 10.04.2022 13:04:00 (UTC)
Issuer : E=cpca@cryptopro.ru, C=RU, L=Москва, O=ООО КРИПТО-ПРО, CN=УЦ KPИПTO-ПPO
PrivKey: 10.04.2017 12:54:00 - 10.04.2018 12:54:00 (UTC)
5 algorithms supported:
[0] 1.2.643.2.2.21 (ГОСТ 28147-89)
[1] 1.2.643.2.2.3 (ГОСТ Р 34.11/34.10-2001)
[2] 0x801f
[3] 0x2e1e
[4] 1.2.643.2.2.19 (ГОСТ Р 34.10-2001)
Cipher strengths: 256..256
Supported protocols: 0x80
Protocol version: 3.1
ClientHello: RecordLayer: TLS, Len: 121
Cipher Suites: (00 81) (00 32) (00 31)
126 bytes of handshake data sent
1179 bytes of handshake data received
210 bytes of handshake data sent
31 bytes of handshake data received
Handshake was successful
SECPKG_ATTR_CIPHER_INFO: Proto: 80, Suite: 81 (TLS_GOST_R_3410_01_WITH_28147_CNT
_IMIT)
SECPKG_ATTR_NAMES: E=pki@e-i.ru, C=RU, L=Moscow, O=UCB, CN=*.rb-ei.com
SECPKG_ATTR_PACKAGE_INFO# fCapabilities: 0x107B3
SECPKG_ATTR_PACKAGE_INFO# wVersion: 1
SECPKG_ATTR_PACKAGE_INFO# wRPCID: 65535
SECPKG_ATTR_PACKAGE_INFO# cbMaxToken: 16379
SECPKG_ATTR_PACKAGE_INFO# Name: CryptoPro SSP
SECPKG_ATTR_PACKAGE_INFO# Comment: CryptoPro Security Package
Server certificate:
Subject: E=pki@e-i.ru, C=RU, L=Moscow, O=UCB, CN=*.rb-ei.com
Valid : 09.06.2017 13:41:00 - 09.06.2018 13:51:00 (UTC)
Issuer : E=cpca@cryptopro.ru, C=RU, L=Москва, O=ООО КРИПТО-ПРО, CN=УЦ KPИПTO-ПPO
Protocol: TLS 1.0
Cipher: 0x661e
Cipher strength: 256
Hash: 0x801e
Hash strength: 256
Key exchange: 0xaa25
Key exchange strength: 512
Header: 5, Trailer: 4, MaxMessage: 16379
HTTP request: GET / HTTP/1.1
User-Agent: Webclient
Accept:*/*
Host: test.rb-ei.com
Connection: close
Sending plaintext: 94 bytes
112 bytes of application data sent
13 bytes of (encrypted) application data received
Decrypted data: 0 bytes
Server requested renegotiate!
98 bytes of handshake data sent
2306 bytes of handshake data received
1341 bytes of handshake data sent
35 bytes of handshake data received
Handshake was successful
325 bytes of (encrypted) application data received
Decrypted data: 316 bytes
No data in socket: OK if file is completely downloaded
Reply status: HTTP/1.1 200 OK
Sending Close Notify
11 bytes of handshake data sent
1 connections, 316 bytes in 0.848 seconds;
Total: SYS: 0,078 sec USR: 0,094 sec UTC: 1,196 sec
[ErrorCode: 0x00000000]
Но выхлоп обеих версия stunnel с параметрами -version и -options идентичный
stunnel 5.40
>stunnel-standalone-msspi_5.40.exe -version
stunnel 5.40 on x86-pc-msvc-1900 platform
Compiled with OpenSSL 1.0.2j 26 Sep 2016
Running with OpenSSL 1.0.2k 26 Jan 2017
Update OpenSSL shared libraries or rebuild stunnel
Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI
Global options:
RNDbytes = 64
RNDoverwrite = yes
taskbar = yes
Service-level options:
ciphers = HIGH:!DH:!aNULL:!SSLv2
curve = prime256v1
debug = notice
logId = sequential
options = NO_SSLv2
options = NO_SSLv3
sessionCacheSize = 1000
sessionCacheTimeout = 300 seconds
stack = 65536 bytes
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
>stunnel-standalone-msspi_5.40.exe -options
stunnel 5.40 on x86-pc-msvc-1900 platform
Compiled with OpenSSL 1.0.2j 26 Sep 2016
Running with OpenSSL 1.0.2k 26 Jan 2017
Update OpenSSL shared libraries or rebuild stunnel
Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI
Supported TLS options:
options = MICROSOFT_SESS_ID_BUG
options = NETSCAPE_CHALLENGE_BUG
options = LEGACY_SERVER_CONNECT
options = NETSCAPE_REUSE_CIPHER_CHANGE_BUG
options = TLSEXT_PADDING
options = MICROSOFT_BIG_SSLV3_BUFFER
options = SAFARI_ECDHE_ECDSA_BUG
options = SSLEAY_080_CLIENT_DH_BUG
options = TLS_D5_BUG
options = TLS_BLOCK_PADDING_BUG
options = MSIE_SSLV2_RSA_PADDING
options = SSLREF2_REUSE_CERT_TYPE_BUG
options = DONT_INSERT_EMPTY_FRAGMENTS
options = ALL
options = NO_QUERY_MTU
options = COOKIE_EXCHANGE
options = NO_TICKET
options = CISCO_ANYCONNECT
options = NO_SESSION_RESUMPTION_ON_RENEGOTIATION
options = NO_COMPRESSION
options = ALLOW_UNSAFE_LEGACY_RENEGOTIATION
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE
options = EPHEMERAL_RSA
options = CIPHER_SERVER_PREFERENCE
options = TLS_ROLLBACK_BUG
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
options = NO_TLSv1.2
options = PKCS1_CHECK_1
options = PKCS1_CHECK_2
options = NETSCAPE_CA_DN_BUG
options = NETSCAPE_DEMO_CIPHER_CHANGE_BUG
options = CRYPTOPRO_TLSEXT_BUG
options = NO_DTLSv1
options = NO_DTLSv1_2
options = NO_SSL_MASK
stunnel 5.41
>stunnel-standalone-msspi.exe -version
stunnel 5.41 on x86-pc-msvc-1900 platform
Compiled with OpenSSL 1.0.2j 26 Sep 2016
Running with OpenSSL 1.0.2k 26 Jan 2017
Update OpenSSL shared libraries or rebuild stunnel
Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI
Global options:
RNDbytes = 64
RNDoverwrite = yes
taskbar = yes
Service-level options:
ciphers = HIGH:!DH:!aNULL:!SSLv2
curve = prime256v1
debug = notice
logId = sequential
options = NO_SSLv2
options = NO_SSLv3
sessionCacheSize = 1000
sessionCacheTimeout = 300 seconds
stack = 65536 bytes
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
>stunnel-standalone-msspi.exe -options
stunnel 5.41 on x86-pc-msvc-1900 platform
Compiled with OpenSSL 1.0.2j 26 Sep 2016
Running with OpenSSL 1.0.2k 26 Jan 2017
Update OpenSSL shared libraries or rebuild stunnel
Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI
Supported TLS options:
options = MICROSOFT_SESS_ID_BUG
options = NETSCAPE_CHALLENGE_BUG
options = LEGACY_SERVER_CONNECT
options = NETSCAPE_REUSE_CIPHER_CHANGE_BUG
options = TLSEXT_PADDING
options = MICROSOFT_BIG_SSLV3_BUFFER
options = SAFARI_ECDHE_ECDSA_BUG
options = SSLEAY_080_CLIENT_DH_BUG
options = TLS_D5_BUG
options = TLS_BLOCK_PADDING_BUG
options = MSIE_SSLV2_RSA_PADDING
options = SSLREF2_REUSE_CERT_TYPE_BUG
options = DONT_INSERT_EMPTY_FRAGMENTS
options = ALL
options = NO_QUERY_MTU
options = COOKIE_EXCHANGE
options = NO_TICKET
options = CISCO_ANYCONNECT
options = NO_SESSION_RESUMPTION_ON_RENEGOTIATION
options = NO_COMPRESSION
options = ALLOW_UNSAFE_LEGACY_RENEGOTIATION
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE
options = EPHEMERAL_RSA
options = CIPHER_SERVER_PREFERENCE
options = TLS_ROLLBACK_BUG
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
options = NO_TLSv1.2
options = PKCS1_CHECK_1
options = PKCS1_CHECK_2
options = NETSCAPE_CA_DN_BUG
options = NETSCAPE_DEMO_CIPHER_CHANGE_BUG
options = CRYPTOPRO_TLSEXT_BUG
options = NO_DTLSv1
options = NO_DTLSv1_2
options = NO_SSL_MASK
Куда копать, не понятно!