Hi, I've attached a patch against stunnel 4.10. It adds two verification options to the global configuration: === remote_subj = expected subject for the remote certificate If set, the remote certificate's subject must match this string. You can obtain the subject in the proper format by running openssl x509 -in servercert.pem -noout -subject Example: remote_subj = /C=CA/ST=Ontario/CN=gw Requires verify=2 or greater. verify_depth = maximum number of CA certificates in chain Specifies the maximum certificate chain depth when verifying the peer certificate: 0: peer certificate must be self-signed 1: peer certificate must be signed by a root CA 2: peer certificate can be signed by at most one intermediate CA The stunnel default depth is 9 for backwards compatibility. Please note that Apache/SSL defaults to 1. If your non-CA certificates are marked with the X509v3 basic constraint "CA:FALSE", you probably do not need to worry about chain depth. This is the default behaviour for most CA tools, including the scripts that ship with OpenSSL. === remote_subj probably belongs in per-service config, not global, but the SSL verification setup is global and I didn't want to start messing with it. Mike