Спасибо, Дмитрий.
Теперь разобрался с CAPath и cert для данной версии
Использую
verify=2 # чтобы не проверять сертификат хоста
stunnel-standalone-msspi.exe
stunnel 5.40 on x86-pc-msvc-1900 platform
Но
Проблема не исчезла
При доступе через туннель
http://127.0.0.1:1500/ получаю
Error number 0x80090308 (-2146893048).
Предоставленный функции токен неправилен
Конфиг stunnel
output=stun.log
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 7
[https]
client=yes
accept=127.0.0.1:1500
connect=test.rb-ei.com:443
cert=7b 59 3c 36 78 70 c9 6e fb d8 b8 e4 10 04 cc a4 90 c3 16 3d
verify=2
csptest -tlsc -server "127.0.0.1" -port 1500 file "/cpuEnquiry.asp" -user "Тестовый пользователь 2016" -v
#0:
Subject: E=cs@bki-okb.ru, C=RU, L=Москва, O=ЗАО ОКБ, CN=Тестовый пользователь 20
16, T=Тестовый пользователь
Valid : 11.04.2016 09:53:00 - 11.04.2021 10:03:00 (UTC)
Issuer : E=cpca@cryptopro.ru, C=RU, L=Москва, O=ООО КРИПТО-ПРО, CN=УЦ KPИПTO-ПPO
PrivKey: 11.04.2016 09:53:00 - 11.04.2017 09:53:00 (UTC)
Client certificate:
Subject: E=cs@bki-okb.ru, C=RU, L=Москва, O=ЗАО ОКБ, CN=Тестовый пользователь 20
16, T=Тестовый пользователь
Valid : 11.04.2016 09:53:00 - 11.04.2021 10:03:00 (UTC)
Issuer : E=cpca@cryptopro.ru, C=RU, L=Москва, O=ООО КРИПТО-ПРО, CN=УЦ KPИПTO-ПPO
PrivKey: 11.04.2016 09:53:00 - 11.04.2017 09:53:00 (UTC)
6 algorithms supported:
[0] 1.2.643.2.2.21 (ГОСТ 28147-89)
[1] 1.2.643.2.2.3 (ГОСТ Р 34.11/34.10-2001)
[2] 1.2.643.7.1.1.2.2 (ГОСТ Р 34.11-2012 256 бит)
[3] 0x801f
[4] 0x2e1e
[5] 1.2.643.2.2.19 (ГОСТ Р 34.10-2001)
Cipher strengths: 256..256
Supported protocols: 0x80
Protocol version: 3.1
ClientHello: RecordLayer: TLS, Len: 80
Cipher Suites: (ff 85) (00 81) (00 32) (00 31)
85 bytes of handshake data sent
505 bytes of handshake data received
**** Error 0x80090308 returned by InitializeSecurityContext (2)
An error occurred in running the program.
WebClient.c:575:Error performing handshake.
Error number 0x80090308 (-2146893048).
Предоставленный функции токен неправилен
Total: SYS: 0,234 sec USR: 0,469 sec UTC: 1,085 sec
[ErrorCode: 0x80090308]
В то же время
csptest -tlsc -server "test.rb-ei.com" -port 443 file "/cpuEnquiry.asp" -user "Тестовый пользователь 2016" -v
#0:
Subject: E=cs@bki-okb.ru, C=RU, L=Москва, O=ЗАО ОКБ, CN=Тестовый пользователь 20
16, T=Тестовый пользователь
Valid : 11.04.2016 09:53:00 - 11.04.2021 10:03:00 (UTC)
Issuer : E=cpca@cryptopro.ru, C=RU, L=Москва, O=ООО КРИПТО-ПРО, CN=УЦ KPИПTO-ПPO
PrivKey: 11.04.2016 09:53:00 - 11.04.2017 09:53:00 (UTC)
Client certificate:
Subject: E=cs@bki-okb.ru, C=RU, L=Москва, O=ЗАО ОКБ, CN=Тестовый пользователь 20
16, T=Тестовый пользователь
Valid : 11.04.2016 09:53:00 - 11.04.2021 10:03:00 (UTC)
Issuer : E=cpca@cryptopro.ru, C=RU, L=Москва, O=ООО КРИПТО-ПРО, CN=УЦ KPИПTO-ПPO
PrivKey: 11.04.2016 09:53:00 - 11.04.2017 09:53:00 (UTC)
6 algorithms supported:
[0] 1.2.643.2.2.21 (ГОСТ 28147-89)
[1] 1.2.643.2.2.3 (ГОСТ Р 34.11/34.10-2001)
[2] 1.2.643.7.1.1.2.2 (ГОСТ Р 34.11-2012 256 бит)
[3] 0x801f
[4] 0x2e1e
[5] 1.2.643.2.2.19 (ГОСТ Р 34.10-2001)
Cipher strengths: 256..256
Supported protocols: 0x80
Protocol version: 3.1
ClientHello: RecordLayer: TLS, Len: 85
Cipher Suites: (ff 85) (00 81) (00 32) (00 31)
90 bytes of handshake data sent
1184 bytes of handshake data received
210 bytes of handshake data sent
31 bytes of handshake data received
Handshake was successful
SECPKG_ATTR_CIPHER_INFO: Protocol: 80, Suite: 81 (TLS_GOSTR341001_WITH_28147_CNT
_IMIT)
SECPKG_ATTR_CIPHER_INFO: Cipher: (GOST 28147-89), Len: 256, BlockLen: 1
SECPKG_ATTR_CIPHER_INFO: Hash: (GOST R 34.11-94), Len: 256
SECPKG_ATTR_CIPHER_INFO: Exchange: (GOST DH 34.10-2001), MinLen: 512, MaxLen: 51
2
SECPKG_ATTR_CIPHER_INFO: Certificate: (GR 34.10-2001), KeyType: 0
SECPKG_ATTR_NAMES: E=pki@e-i.ru, C=RU, L=Moscow, O=UCB, CN=*.rb-ei.com
SECPKG_ATTR_PACKAGE_INFO# fCapabilities: 0x107B3
SECPKG_ATTR_PACKAGE_INFO# wVersion: 1
SECPKG_ATTR_PACKAGE_INFO# wRPCID: 65535
SECPKG_ATTR_PACKAGE_INFO# cbMaxToken: 16379
SECPKG_ATTR_PACKAGE_INFO# Name: CryptoPro SSP
SECPKG_ATTR_PACKAGE_INFO# Comment: CryptoPro Security Package
Server certificate:
Subject: E=pki@e-i.ru, C=RU, L=Moscow, O=UCB, CN=*.rb-ei.com
Valid : 09.06.2016 13:19:00 - 09.06.2017 13:29:00 (UTC)
Issuer : E=cpca@cryptopro.ru, C=RU, L=Москва, O=ООО КРИПТО-ПРО, CN=УЦ KPИПTO-ПPO
Protocol: TLS 1.0
Cipher: 0x661e
Cipher strength: 256
Hash: 0x801e
Hash strength: 256
Key exchange: 0xaa25
Key exchange strength: 512
Header: 5, Trailer: 4, MaxMessage: 16384
HTTP request: GET / HTTP/1.1
User-Agent: Webclient
Accept:*/*
Host: test.rb-ei.com
Connection: close
Sending plaintext: 94 bytes
112 bytes of application data sent
13 bytes of (encrypted) application data received
Decrypted data: 0 bytes
Server requested renegotiate!
79 bytes of handshake data sent
2335 bytes of handshake data received
1341 bytes of handshake data sent
35 bytes of handshake data received
Handshake was successful
392 bytes of (encrypted) application data received
Decrypted data: 383 bytes
No data in socket: OK if file is completely downloaded
Reply status: HTTP/1.1 200 OK
Sending Close Notify
11 bytes of handshake data sent
1 connections, 383 bytes in 0.943 seconds;
Total: SYS: 0,297 sec USR: 0,531 sec UTC: 2,027 sec
[ErrorCode: 0x00000000]