Ian Zimmerman via Exim-users <exim-users@???> (Di 14 Feb 2023 01:40:52 CET): > With OpenSSL the certificates specified explicitly either by file or
> directory are added to those given by the system default location.
>
> Is it at all possible with OpenSSL to stop the "system" location from
> being checked? If not, that seems to make the use of TLS for client
> authentication impossible because any certificate presented by
> e.g. Google will pass verification. Am I reading this correctly?
IMHO it shouldn't be sufficient accept any client that just has a
verified certificate ("authenticated"). You should check, if the client
is "authorized", by checking required certificate attributes (issuer,
subject, …)
