The Spec discusses this in chapter 42. However, it depends on general certificate verification, which is discussed in 43.7, and so on the tls_verify_certificates main configuration item. Reading the documentaion for that,
The value of this option is expanded, and must then be either the word "system" or the absolute path to a file or directory containing permitted certificates for clients that match tls_verify_hosts or tls_try_verify_hosts. The "system" value for the option will use a system default location compiled into the SSL library. This is not available for GnuTLS versions preceding 3.0.20, and will be taken as empty; an explicit location must be specified. ... With OpenSSL the certificates specified explicitly either by file or directory are added to those given by the system default location. Is it at all possible with OpenSSL to stop the "system" location from being checked? If not, that seems to make the use of TLS for client authentication impossible because any certificate presented by e.g. Google will pass verification. Am I reading this correctly? -- Ian -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
