Using TRUST_AUTH_MECH EXTERNAL and TLS

Folks,

When using TRUST_AUTH_MECH with EXTERNAL and TLS, is there a way to control
which certificates will be treated as "authenticated" and which will not?
By default, it seems that if one enables EXTERNAL, then any certificate that
can be verified is also automatically authenticated. That's not exactly
what I want.

Would it be possible to use EXTERNAL and then specify a list of DNs that may
be authenticated?

Thanks!
Paul