Hi all, I have configured stunnel to do the client authetication, but I have some question. I have used following config: cert = /etc/certificates/server.pem - file with signed server cert and key (passwordless) chroot = /var/run/stunnel/ CAfile = /etc/certificates/certs -file where first item is my CA certificate followed by list of all client certificates sgined by my CA. setuid = nobody setgid = nogroup pid = /stunnel.pid verify = 3 This setup is working, but this seems to me very "unlogical". If I create for me "more logic" setup: cert = /etc/certificates/server.pem chroot = /var/run/stunnel/ CAfile = /etc/certificates/CA/cacert.pem - only certificate of my CA CRLfile = /etc/certificates/crls - only certificates signed by my CA I get the following error: 2005.02.22 15:15:10 LOG5[22418:81926]: VERIFY OK: depth=1, /C= ..... 2005.02.22 15:15:10 LOG4[22418:81926]: VERIFY ERROR ONLY MY: no cert for /C= The question is ... why? Why CAfile has to contain all client certificates, when clients certs are not CA? Why I cannot have separate file for CA and separate file for certificates that I want accept? If I do the similar setup in mod_ssl, the configuration works as expected. Anyway, I'am newbie to deploy stunnel, thus I would like to ask you for giving me you opinion of this configuration, caveats and possible enhancements. Thanks for any comments, Bohdan Linda