On Thu, Feb 16, 2023 at 09:17:51PM +0000, Jeremy Harris via Exim-users wrote:
> On 16/02/2023 21:09, Viktor Dukhovni via Exim-users wrote: > > Some applications (want to) only accept client certificates issued by a > > dedicated non-public CA, which amounts to an authorisation server > > In exim usage that's a test on a certextract of the issuer of > $tls_in_peercert, either just in ACL or as part of the > serer_condition for an authenticator using the tls driver. > > For either, the TLS session has to have been accepted first. The problem is that any root CA can issue a subCA with any subject DN it wants. So just checking issuer names, and expecting these to uniquely identify a private dedicated CA is not "safe". There is no global X.500 namespace that ensures uniqueness of CA "distinguished names", they're just made up. So, if I can't bypass the system trust store, I would be more inclined to check the issuer public key, not the issuer DN. That said, an OpenSSL application can just set the environemt and get a non-default trust store location: https://www.openssl.org/docs/manmaster/man3/X509_get_default_cert_dir_env.html const char *X509_get_default_cert_dir_env(void); const char *X509_get_default_cert_file_env(void); Just set those enviroment variables (just between us friends, those are "SSL_CERT_DIR" and "SSL_CERT_FILE") to a directory and file that hold only the application-specific trust anchors, and the system trust store would no longer be loaded by default. This works for OpenSSL, can't speak to GnuTLS... -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/