Hi, I want to control access to a through stunnel reachable service. Only those clients shall be allowed to use the service which provide a known certificate. I have found the option "CApath"; can this directory be used to collect all client certificates? Or is it absolutely necessary to have CA certs there? Another thing in this environment: I do not know or own every CA certificate used by the clients - I only get the client certificates itself. So I want to do only a one-level client cert verification. Which verify level do I need for this? 2 or 3? What about removing certificates from the CApath directory? Do I have to restart stunnel to make this change be effective? Another thing: since the client certificates are not revoked by us I am not able to use CRLs for controlling access to our service. -- Heiko Nardmann (Dipl.-Ing. Technische Informatik) secunet Security Networks AG - Sicherheit in Netzwerken (www.secunet.de), Weidenauer Str. 223-225, D-57076 Siegen Tel. : +49 271 48950-13, Fax : +49 271 48950-50