commit 09540b5648aecd1bd2e29db0b6201ca71381a058
Author: Oswald Buddenhagen <o...@users.sf.net>
Date: Sun Aug 2 20:05:42 2020 +0200
unbreak CertificateFile documentation
the file may in fact contain CA certs.
amends 7d9d3e15.
src/mbsync.1 | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)
diff --git a/src/mbsync.1 b/src/mbsync.1
index 6830508..dfdba79 100644
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -379,17 +379,27 @@ if you want to trust only hand-picked certificates.
\fBCertificateFile\fR \fIpath\fR
File containing additional X.509 certificates used to verify server
identities.
-These certificates are always trusted, regardless of validity.
-.br
-The certificates from this file are matched only against the received
-server certificate itself; CA certificates are \fBnot\fR supported here.
-Do \fBnot\fR specify the system's CA certificate store here; see
-\fBSystemCertificates\fR instead.
-.br
-The contents for this file may be obtained using the
-\fBmbsync-get-cert\fR tool; make sure to verify the fingerprints of the
-certificates before trusting them, or transfer them securely from the
-server's network (if it is trusted).
+It may contain two types of certificates:
+.RS
+.IP Host
+These certificates are matched only against the received server certificate
+itself.
+They are always trusted, regardless of validity.
+A typical use case would be forcing acceptance of an expired certificate.
+.br
+These certificates may be obtained using the \fBmbsync-get-cert\fR tool;
+make sure to verify their fingerprints before trusting them, or transfer
+them securely from the server's network (if it can be trusted beyond the
+server itself).
+.IP CA
+These certificates are used as trust anchors when building the certificate
+chain for the received server certificate.
+They are used to supplant or supersede the system's trust store, depending
+on the \fBSystemCertificates\fR setting;
+it is not necessary and not recommended to specify the system's trust store
+itself here.
+The trust chains are fully validated.
+.RE
.
.TP
\fBClientCertificate\fR \fIpath\fR
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
