Ian Zimmerman via Exim-users <exim-users@exim.org> (Di 14 Feb 2023 01:40:52 CET): > With OpenSSL the certificates specified explicitly either by file or > directory are added to those given by the system default location. > > Is it at all possible with OpenSSL to stop the "system" location from > being checked? If not, that seems to make the use of TLS for client > authentication impossible because any certificate presented by > e.g. Google will pass verification. Am I reading this correctly?
IMHO it shouldn't be sufficient accept any client that just has a verified certificate ("authenticated"). You should check, if the client is "authorized", by checking required certificate attributes (issuer, subject, …) Maybe I got you wrong. -- Heiko
signature.asc
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/