Hi,

I'm using stunnel to secure communication between nodes in a cluster, using a self-signed CA to sign the server certs and the `verify = 2` config parameter. This works great. What I want to be able to do is replace the CA key and certificate without breaking the cluster. How I thought this should work would be:

1. Configure the stunnels to trust both the old and new CA certificates while the nodes continued to use server certificates signed by the old CA key. 2. Switch to using using server certifcates signed by the new CA key. 3. Finally remove trust in the old CA certificate.

I'd tried this by putting both CA certificates in a single file and using `CAfile` config parameter, and also by using the `CApath` config parameter with both root CA certificates in the configured directory, but I've not been able to get this to work while keeping `verify = 2`. It does work if I temporary use `verify = 0`, but obviously that means I've not got TLS authentication duration the duration of the process.

Can anyone confirm whether stunnel supports this use case, and if so suggest where I might be going wrong?

Many thanks,

Tom