However, for verify level two or three, the client-side encryption engine needs to present a client certificate to the server.
Is this client certificate you mention one of the certs of the server being connected to (is it from "mainserver"? or the CA I created?)? Like, will I have to pass out this cert to any clients I know will be connecting, so that they all have it, before they can connect at level 2 or 3? Or is it just something built into the software a connecting person is using?
I apologize for my ignorance and appreciate your patience, I just haven't had to worry about something like this in setting up any SSL-secured services before. For example, with https, as long as the web server is configured to serve that protocol, it "just works" and you don't have to worry about providing certs to everyone connecting to your web site. (Or perhaps I'm making a leap there, and you don't mean above that each client has to have a copy of some cert from the server.) I guess I'm trying to figure out the difference between that and this issue with stunnel.
Dave