I'm having trouble enabling TLS 1.2 connections on a Windows (environment has both Windows 2008 and Windows 10 environments) platform. Currently, my private keys are managed by the Windows certificate store, using the CAPI engineId within stunnel (v 5.41), which uses OpenSSL 1.0.2k-fips. Because of this, stunnel can only negotiate a TLS 1.1 connection (SSLv2 and SSLv3/TLS1 are disabled for obvious reasons).
I’ve tried compiling OpenSSL 1.1.0f and stunnel 5.41, but no luck either cross compiling under CentOS, nor under Windows using either MSYS2/MINGW32 or Cygwin.
I am specifically looking for a way to manage the pfx/p12 (private key) in stunnel without resorting to the Windows certificate store. I found an example on how to configure stunnel to use capi - which worked beautifully, but because openssl 1.0.2 doesn't support ciphers that are used in TLS 1.2, only TLS 1.1 works. I need TLS 1.2.
https://www.stunnel.org/pipermail/stunnel-users/2017-February/005720.html documents why I can't use TLS 1.2 with OpenSSL 1.0.2.
OpenSSL 1.0.2 is what is built into stunnel 5.41. Recompiling didn't work. I'm specifically looking for how to configure stunnel to point at a pkcs12 key.
Solution based on dave_thompson_085's comment:
The solution was to simply put in the location of the p12 file for the cert variable, do not include engineId, do not include key. Don't worry about the password, stunnel will prompt for password.
I kept thinking that I needed to set an engine - as with pkcs11 or capi.
Ie., I was over thinking and completely missed the obvious.
Example of snippet that worked for me below. (Everything above was left as default, except sslOptions, which was set to sslOptions=TLS1.2
[https-test-services]
client=yes
accept=127.0.0.1:7000
connect=hostname.of.remote.server:8443
verifyChain = yes
CAfile = ca-certs.pem
cert = C:\Location\To\certandkey.p12
checkHost = hostname.of.remote.server
OCSPaia=yes