I was browsing our stunnel configuration, and while it lacks some proper configuration regarding TLS versions and does not comply with my preference of using a certificate for stunnel ONLY, according to the docs there is no verification of the peer certificate by default. The result of that is encrypted communication but not while verifying we are talking with Miraheze's servers and not someone else's.
I have a hard time understanding how stunnel works with the backend server with regards to certificates. I have not been able to prove (in)valid verification by stunnel.
A proper solution (to make sure stunnel verifies the clients for 100%) would probably be to create a self-signed certificate and let nginx use that - however that would break test1.miraheze.org which would then need the old config. Such a drastic change cannot be done in just one day, thus reducing priority.