When stunnel starts a local program, this program has no chance of
getting aware of the certificate used for establishing the SSL
connection. It is fine that it is only started if the client has been
successfully authenticated, but after that, my script needs to know
which certificate was used for this, to distinguish between the
clients.

The attached patch delays the execution of the local program until
after the SSL handshake (unless a protocol must be negotiated), and
sets some environment variables similar to Apache-SSL:

SSL=on
SSL_CIPHER=DES-CBC3-SHA
SSL_KEYSIZE=168
SSL_PROTOCOL_VERSION=SSLv3
SSL_CLIENT_DN=/C=DE/ST=Germany/...
SSL_CLIENT_I_DN=/C=DE/ST=Germany/...