Hi, I am having a problem using OCSP with Stunnel. client: stunnel-5.55, server: stunnel-5.49, both using openssl-1.0.2k-fips. When I use the openssl ocsp command it works fine e.g.: openssl ocsp -issuer idca-rootca.pem -CAfile idca-rootca.pem -cert server-cert.pem -url http://10.0.0.166:40040 Response verify OK server-cert.pem: good Wireshark: OCSP request contains the server cert serial number, and OCSP response returns "certStatus: good(0)". However, when I use Stunnel the OCSP lookup fails (Connection reset by peer), and in the Stunnel log I get: LOG3[0]: OCSP: OCSP_basic_verify: ocsp_vfy.c:166: error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted Wireshark: OCSP request now contains the issuer (idca) instead of the server cert serial number, and the OCSP response returns "certStatus: unknown (2)". I have tried various combinations of cert and CA pem files e.g. server cert on its own, then including idca, then including both idca and rootca. I have also tried all combinations of CA cert, even including all certs in it. I am testing Stunnel using SSH over TLS and here are the configs: Stunnel client config: [ssh] CAfile = idca-rootca.pem cert = client-cert.pem key = client-key.pem accept=40010 connect=10.0.0.166:40010 verifyPeer = yes OCSP = http://10.0.0.166:40040 Stunnel server config: [sshd] CAfile = idca-rootca.pem cert = server-cert.pem key = server-key.pem accept = 10.0.0.166:40010 connect = 22 Appreciate any help with this problem.