> On Oct 19, 2022, at 10:29 AM, Matthew Lenz <mlenz@xxxxxxxxxxxxx> wrote: > > I didn't say the client was meant to enforce it. I meant the server should be enforcing it (it's not). Doesn't really make sense for the server to determine client verification of server certificate. 1) Server controls what certificate is provided, thus has control over what CA is used. 2) What would it mean for server to turn OFF client verification? Server is allowed to say "here's my cert, doesn't matter that it's using a bogus CA, you take it regardless of your local settings"???
