It appears that "allow_self_signed" does not and cannot apply to the local_cert option.
The stunnel verify=4 option, which verifies but ignores a CA, has no analog in these settings, which is unfortunate.
Even more perplexingly, while the "openssl verify -CAfile" is successful, PHP appears unable to use the new ca/crt pair in any configuration.
I did actually link my PHP against a copy of LibreSSL 2.3.8, but PHP oddly is unable to use TLS1.1 or 1.2. It does, however, enable EC secp521r1 (of which my native OpenSSL 0.9.8e is incapable).
