On 29/03/2019 13:44, Richard Jones via Exim-users wrote: > On Mar 29, Jeremy Harris via Exim-users wrote >> You are presumably setting up to request client certs (this is the CAs >> list that you'll be verifying client certs against). The idea is that >> the server tells the client what authorities might be acceptable, so >> that the client can pick among several client certs it might have >> available for presentation. >> >> There's a hint in the docs that you can subvert that by using >> (with OpenSSL or with recent GnuTLS) a directory full of certs >> for tls_verify_certificates. >> >> >> Of course, if you're not planning on using client certs, you don't >> need any of this. > > I was hoping to be able to validate them, yes. It just seems overkill to > also offer every root CA installed. > > If it's a choice of one cert or all, then clearly this isn't the end of > the world, and thanks!
Since you say "also"... if you're adding a private CA _and_ you can rely on this set of clients using some reliably-different (to the hoi-polloi) SNI - you could make the expansion depend on the presented SNI. See section 10 in the TLS chapter. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
