Haven't found the answer for this issue. 

The scheme is :

TLS-client <==tls==> stunnel-server <==open==> App-server

In user session stunnel-server perform authorization for client with its certificate (verify=2) and send request further to App-server.

How does App-server can identify user in this session? To grand permissions. Ideally it would be good to know CN or EKU of user certificate. Is it possible?

Thanks a lot!!

Denis