diff -c -r stunnel-3.8/common.h stunnel-3.8~/common.h
*** stunnel-3.8/common.h	Thu Feb 24 03:35:00 2000
--- stunnel-3.8~/common.h	Thu May  4 12:37:53 2000
***************
*** 135,140 ****
--- 135,141 ----
  typedef struct {
      char certfile[STRLEN];  /* name of the certificate */
      char clientdir[STRLEN];
+     char cacert[STRLEN];
      char pidfile[STRLEN];
      unsigned long dpid;
      int clients;
diff -c -r stunnel-3.8/ssl.c stunnel-3.8~/ssl.c
*** stunnel-3.8/ssl.c	Fri Feb 18 07:26:48 2000
--- stunnel-3.8~/ssl.c	Thu May  4 12:36:09 2000
***************
*** 228,240 ****
      }
      if(options.verify_level!=SSL_VERIFY_NONE) {
          if ((!SSL_CTX_set_default_verify_paths(ctx))
!                 || (!SSL_CTX_load_verify_locations(ctx, CLIENT_CA,
                  options.clientdir))){
              sslerror("X509_load_verify_locations");
              exit(1);
          }
          SSL_CTX_set_verify(ctx, options.verify_level, verify_callback);
!         SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CLIENT_CA));
          if (options.verify_use_only_my)
              log(LOG_NOTICE, "Peer certificate location %s", options.clientdir);
      }
--- 228,240 ----
      }
      if(options.verify_level!=SSL_VERIFY_NONE) {
          if ((!SSL_CTX_set_default_verify_paths(ctx))
!                 || (!SSL_CTX_load_verify_locations(ctx, options.cacert,
                  options.clientdir))){
              sslerror("X509_load_verify_locations");
              exit(1);
          }
          SSL_CTX_set_verify(ctx, options.verify_level, verify_callback);
!         SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(options.cacert));
          if (options.verify_use_only_my)
              log(LOG_NOTICE, "Peer certificate location %s", options.clientdir);
      }
diff -c -r stunnel-3.8/stunnel.8.in stunnel-3.8~/stunnel.8.in
*** stunnel-3.8/stunnel.8.in	Tue Feb 15 09:13:15 2000
--- stunnel-3.8~/stunnel.8.in	Thu May  4 16:55:40 2000
***************
*** 3,14 ****
  stunnel \- universal SSL tunnel
  .SH SYNOPSIS
  .B stunnel
! [-T] [-p pemfile] [-v level] [-a directory]
  [-t timeout] [-u username] [-n protocol]
  [-d [ip:]port [-f]] [ -l program | -r [ip:]port | -L program [-- args] ]
  .PP
  .B stunnel
! {-c} [-p pemfile] [-v level] [-a directory]
  [-t timeout] [-u username] [-n protocol]
  -r [ip:]port [ -d [ip:]port [-f] | -l program | -L program [-- args] ]
  .SH DESCRIPTION
--- 3,14 ----
  stunnel \- universal SSL tunnel
  .SH SYNOPSIS
  .B stunnel
! [-T] [-p pemfile] [-v level] [-A certfile] [-a directory]
  [-t timeout] [-u username] [-n protocol]
  [-d [ip:]port [-f]] [ -l program | -r [ip:]port | -L program [-- args] ]
  .PP
  .B stunnel
! {-c} [-p pemfile] [-v level] [-A certfile] [-a directory]
  [-t timeout] [-u username] [-n protocol]
  -r [ip:]port [ -d [ip:]port [-f] | -l program | -L program [-- args] ]
  .SH DESCRIPTION
***************
*** 47,54 ****
--- 47,57 ----
  verify peer certificate
  .RS
  level 1 - verify peer certificate if present
+ .br
  level 2 - verify peer certificate
+ .br
  level 3 - verify peer with locally installed certificate
+ .br
  default: no verify
  .RE
  .PP
***************
*** 56,61 ****
--- 59,75 ----
  client certificate directory for -v 3 option
  .RS
  default: @ssldir@/certs/trusted
+ .RE
+ .PP
+ .B -A certfile
+ .RS
+ the client Certificate Authority certificate
+ .br
+ default:
+ .br
+ @ssldir@/cert.pem and/or
+ .br
+ @ssldir@/localCA/cacert.pem
  .RE
  .PP
  .B -t timeout
diff -c -r stunnel-3.8/stunnel.c stunnel-3.8~/stunnel.c
*** stunnel-3.8/stunnel.c	Thu Feb 24 03:32:27 2000
--- stunnel-3.8~/stunnel.c	Thu May  4 16:52:22 2000
***************
*** 148,153 ****
--- 148,154 ----
      options.foreground=1;
      safecopy(options.certfile, DEFAULT_CERT);
      safecopy(options.clientdir, CA_DIR);
+     safecopy(options.cacert, CLIENT_CA);
      get_options(argc, argv);
      if(!(options.option&OPT_FOREGROUND)) {
          options.foreground=0;
***************
*** 217,224 ****
      options.setuid_user=NULL;
      options.setgid_group=NULL;
      opterr=0;
!     while ((c = getopt(argc, argv, "a:cp:v:d:fTl:L:r:s:g:t:u:n:hC:D:V")) != EOF)
          switch (c) {
              case 'a':
                  safecopy(options.clientdir, optarg);
                  break;
--- 218,228 ----
      options.setuid_user=NULL;
      options.setgid_group=NULL;
      opterr=0;
!     while ((c = getopt(argc, argv, "A:a:cp:v:d:fTl:L:r:s:g:t:u:n:hC:D:V")) != EOF)
          switch (c) {
+ 	    case 'A':
+ 		safecopy(options.cacert, optarg);
+ 		break;
              case 'a':
                  safecopy(options.clientdir, optarg);
                  break;
***************
*** 902,907 ****
--- 906,913 ----
          "\n\t\tdefault: no verify"
          "\n  -a directory\tclient certificate directory for -v 3 option"
          "\n\t\tdefault: " CA_DIR
+ 	"\n  -A certfile\tCA certificate for -v2 and -v3 options"
+ 	"\n\t\tdefault: " CLIENT_CA
          "\n  -t timeout\tsession cache timeout"
          "\n\t\tdefault: 300 s."
          "\n  -u user\tUse IDENT (RFC 1413) username checking"