I'm trying to setup stunnel to trust only certificates issued by intermediate CA and not other CAs issues by the same root CA.

I came across this discussion about the same topic: https://www.stunnel.org/mailman3/hyperkitty/list/[email protected]/thread/DUF6C6BRNFVAWVCDIGXPUDTAPZR5KV5W/. I tested described options but it always authenticates also other sub CAs, because the whole chain must be always supplied in configured CAfile or CApath.

In my opinion, the proper solution would be to add "partial chain" OpenSSL configuration option to stunnel config. This would allow admin to decide how intermediate CA will be verified. What do you think about that?

See corresponding OpenSSL issue: https://github.com/openssl/openssl/issues/7871.

Thanks

Vit