On 14/02/2023 00:40, Ian Zimmerman via Exim-users wrote:
Is it at all possible with OpenSSL to stop the "system" location from
being checked?
No.
If not, that seems to make the use of TLS for client
authentication impossible because any certificate presented by
e.g. Google will pass
On Mon, Feb 13, 2023 at 04:40:52PM -0800, Ian Zimmerman via Exim-users wrote:
> With OpenSSL the certificates specified explicitly either by file or
> directory are added to those given by the system default location.
>
> Is it at all possible with OpenSSL to stop the "system" location from
On Thu, Feb 16, 2023 at 09:44:55PM +0100, Heiko Schlittermann via Exim-users
wrote:
> > Is it at all possible with OpenSSL to stop the "system" location from
> > being checked? If not, that seems to make the use of TLS for client
> > authentication impossible because any certificate presented by
Ian Zimmerman via Exim-users (Di 14 Feb 2023 01:40:52
CET):
> With OpenSSL the certificates specified explicitly either by file or
> directory are added to those given by the system default location.
>
> Is it at all possible with OpenSSL to stop the "system" location from
> being checked?
On 16/02/2023 21:09, Viktor Dukhovni via Exim-users wrote:
Some applications (want to) only accept client certificates issued by a
dedicated non-public CA, which amounts to an authorisation server
In exim usage that's a test on a certextract of the issuer of
$tls_in_peercert, either just in
On Thu, Feb 16, 2023 at 09:17:51PM +, Jeremy Harris via Exim-users wrote:
> On 16/02/2023 21:09, Viktor Dukhovni via Exim-users wrote:
> > Some applications (want to) only accept client certificates issued by a
> > dedicated non-public CA, which amounts to an authorisation server
>
> In exim
On Thu, Feb 16, 2023 at 09:29:20AM -0500, Viktor Dukhovni via Exim-users wrote:
> On the other hand, much better to simply maintain an explicit table of
> trusted client public keys and match these (by SHA256 fingerprint
> perhaps). Use a lookup table to check whether the client is authorised
>
On Thu, Feb 16, 2023 at 08:18:46PM -0800, Ian Zimmerman via Exim-users wrote:
> An excellent suggestion, thanks. I think I got stuck in this unproductive
> (it seems) rut of authentication by verification because of two things:
>
> - not immediately obvious how to *compute* the checksum to match
