For my Stunnel server, I'm using Windows ME, OpenSSL 0.9.7e and Stunnel 4.05.

I've create my own Certificate Authority on my server and created and signed a server and multiple client certificates for Stunnel.

I plan to use Stunnel to secure my VNC connections to my PC - to encrypt the traffic and to validate the clients.

On the server side: ------------------- I want to limit connections to my Stunnel server to only those Stunnel clients that present a client certificate that I already have a copy of on my server. And I want Stunnel server to only recognize my own Certificate Authority as a valid CA for the clients' certificates.

Is this possible?

What options do I need to specify in the Stunnel server configuration file to make this work?

The documentation is confusing to me - for example, do I use CAfile or CApath to point Stunnel to the the CA certificate? Will Stunnel recognize other CAs as trusted, if their certificates have been loaded by other programs like a browsers or mail reader? Etcetera ..

On the client side: ------------------- As with the server, I want my Stunnel client to only recognize my own CA as trusted. And I want it to validate the server certificate as thoroughly as possible. Is that verify level 3?

I need the CA certificate on my client, but do I use CAfile or CAcert in the config file to point to it?

Do I need a copy of the server certificate on my client so that the client can verify the server's certificate?

I'm so confused!

I've read the FAQ and Related links on stunnel.org and also the past 4 months' mailing list digests but I'm still not clear on the certificate verification process. or all the options in the configuration file.