It would be nice to change log level for "No OCSP stapling response received" messages. However, this looks like it might be a bug. I also encountered the following case: verifyChain = yes checkHost = smtp.mail.eu-west-1.awsapps.com In this setup, no OCSP related options can suppress checking OCSP: OCSPrequire = no OCSPaia = no OCSPflag = NOVERIFY I would suggest to either add an option to disable OCSP checks with verifyChain=yes, or to adjust the behavior of OCSPrequire=no so it does that.
The "No OCSP stapling response received" log message, as its text suggests, only means is that the TLS server did not return stapling. This check is performed before OCSP verification, so it doesn't matter whether a conclusive OCSP response is required, whether OCSP AIA URL will be used, nor whether OCSP signature verification will be performed.
A separate issue is that if OCSP stapling was provided by the
server *and* the certificate status is V_OCSP_CERTSTATUS_REVOKED
then stunnel will reject the connection regardless of its
configuration.
Best regards,
Mike