Re: [exim] TLS authentication

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] TLS authentication
On Mon, Feb 13, 2023 at 04:40:52PM -0800, Ian Zimmerman via Exim-users wrote:

> With OpenSSL the certificates specified explicitly either by file or
> directory are added to those given by the system default location.
>
> Is it at all possible with OpenSSL to stop the "system" location from
> being checked? If not, that seems to make the use of TLS for client
> authentication impossible because any certificate presented by
> e.g. Google will pass verification. Am I reading this correctly?


In principle, yes, it just requires not loading the default certificate
store by not calling SSL_CTX_set_default_verify_paths(3).

So if you want to permit only clients with trusted certificates signed
by just your own CA, indeed you need to avoid loading the default cert
store.

On the other hand, much better to simply maintain an explicit table of
trusted client public keys and match these (by SHA256 fingerprint
perhaps). Use a lookup table to check whether the client is authorised
or not.

-- 
    Viktor.