Hi,

I want to set up a service using stunnel as a server. I want only specific clients to be able to connect. Each client will have an SSL-enabled client app.

I understand the part about needing to create a self-signed cert for the stunnel server. I don't understand what Stunnel will require from each client. Do I have to create CSRs for each client and sign them with my self-signed cert, or will the keys from additional standalone self-signed certs for each client be good enough on the client side as long as I have a cert that for each key in the certificate path of the server?

Is it correct that verify=3 will make sure only clients that have keys matching the certs in the server cert path can connect?

If a client with a key that I have no cert for tries to connect, what should happen? Will it time out or will there be an error that the key isn't valid?

Thanks,

/jl