commit e12924751b9270d34518da714b317e284c7db5cf
Author: Oswald Buddenhagen <o...@users.sf.net>
Date: Mon Nov 18 18:57:38 2019 +0100
improve documentation of the server certificate related options
src/mbsync.1 | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/src/mbsync.1 b/src/mbsync.1
index 883fc4f..e4906b0 100644
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -371,18 +371,26 @@ Use old versions only when the server has problems with
newer ones.
..
.TP
\fBSystemCertificates\fR \fByes\fR|\fBno\fR
-Whether the system's default root cerificate store should be loaded.
+Whether the system's default CA (certificate authority) certificate
+store should be used to verify certificate trust chains. Disable this
+if you want to trust only hand-picked certificates.
(Default: \fByes\fR)
..
.TP
\fBCertificateFile\fR \fIpath\fR
File containing additional X.509 certificates used to verify server
-identities. Directly matched peer certificates are always trusted,
-regardless of validity.
-.br
-Note that the system's default certificate store is always used
-(unless \fBSystemCertificates\fR is disabled)
-and should not be specified here.
+identities.
+These certificates are always trusted, regardless of validity.
+.br
+The certificates from this file are matched only against the received
+server certificate itself; CA certificates are \fBnot\fR supported here.
+Do \fBnot\fR specify the system's CA certificate store here; see
+\fBSystemCertificates\fR instead.
+.br
+The contents for this file may be obtained using the
+\fBmbsync-get-cert\fR tool; make sure to verify the fingerprints of the
+certificates before trusting them, or transfer them securely from the
+server's network (if it is trusted).
..
.TP
\fBClientCertificate\fR \fIpath\fR
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
