I have a client and a server where the client isn't very good and the server requires a MASSL (Mutual Auth SSL aka client certificate authenticated) connection.  I need to get one of two things to work.  Either:
1)  The client makes a non-SSL connection to stunnel on the local machine which then performs a MASSL connection to the server using a client certificate or
2)  The client makes a plain SSL connection to stunnel on the local machine which then performs a MASSL connection to the server using a client certificate.

Can stunnel be used in this manner?

If so, would someone please give me some hints on configuration?

For extra credit, it would be awesome if the client private key were stored in a pkcs11 device (HSM).

Thank you,
--Jason