Author: Ian Zimmerman Date: To: exim-users Subject: [exim] TLS authentication
The Spec discusses this in chapter 42. However, it depends on general
certificate verification, which is discussed in 43.7, and so on the
tls_verify_certificates main configuration item. Reading the
documentaion for that,
The value of this option is expanded, and must then be either the word
"system" or the absolute path to a file or directory containing
permitted certificates for clients that match tls_verify_hosts or
tls_try_verify_hosts.
The "system" value for the option will use a system default location
compiled into the SSL library. This is not available for GnuTLS
versions preceding 3.0.20, and will be taken as empty; an explicit
location must be specified.
...
With OpenSSL the certificates specified explicitly either by file or
directory are added to those given by the system default location.
Is it at all possible with OpenSSL to stop the "system" location from
being checked? If not, that seems to make the use of TLS for client
authentication impossible because any certificate presented by
e.g. Google will pass verification. Am I reading this correctly?