I think a functionnality is missing in stunnel. I compare the behaviour of stunnel and apache mod-ssl. If you have a certificate signed by third party, apache checks the root certificate like stunnel do this with -v 1 option but apache don't ask for a client certificate, stunnel do this :-( I think that stunnel should control server certificate chain defined in CA file even if option -v 1 is not set !!! Could you give your opinion? If I use stunnel and not apache it's because I have some protocols to handle with ssl and stunnel is a very easy to use solution. Thanks Oliver