Hi,
I want to control access to a through stunnel reachable service. Only those clients shall be allowed to use the service which provide a known certificate. I have found the option "CApath"; can this directory be used to collect all client certificates? Or is it absolutely necessary to have CA certs there?
Another thing in this environment: I do not know or own every CA certificate used by the clients - I only get the client certificates itself. So I want to do only a one-level client cert verification. Which verify level do I need for this? 2 or 3?
What about removing certificates from the CApath directory? Do I have to restart stunnel to make this change be effective?
Another thing: since the client certificates are not revoked by us I am not able to use CRLs for controlling access to our service.