summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-11-23 16:10:30 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2015-01-12 18:58:34 +0000
commitcb1d783072c488a4a558607b2ee122efba95aa4b (patch)
treecb7a278c3917deb2a116fa01750f436e6250ab8e /doc
parent01a4a5c5cbaa40ca618d3e233991ce183b551477 (diff)
Support use of system default CA bundle
Diffstat (limited to 'doc')
-rw-r--r--doc/doc-docbook/spec.xfpt66
-rw-r--r--doc/doc-txt/ChangeLog4
2 files changed, 47 insertions, 23 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5bdf57282..dc7e4f75c 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16481,14 +16481,24 @@ See &%tls_verify_hosts%& below.
.option tls_verify_certificates main string&!! unset
.cindex "TLS" "client certificate verification"
.cindex "certificate" "verification of client"
-The value of this option is expanded, and must then be the absolute path to
-a file containing permitted certificates for clients that
-match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. Alternatively, if you
-are using either GnuTLS version 3.3.6 (or later) or OpenSSL,
-you can set &%tls_verify_certificates%& to the name of a
-directory containing certificate files.
-For earlier versions of GnuTLS
-the option must be set to the name of a single file.
+The value of this option is expanded, and must then be either the
+word "system"
+or the absolute path to
+a file or directory containing permitted certificates for clients that
+match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&.
+
+The "system" value for the option will use a
+system default location compiled into the SSL library.
+This is not available for GnuTLS versions preceding 3.0.20 and an explicit location
+must be specified.
+
+The use of a directory for the option value is not avilable for GnuTLS versions
+preceding 3.3.6 and a single file must be used.
+
+With OpenSSL the certificates specified
+explicitly
+either by file or directory
+are added to those given by the system default location.
With OpenSSL the certificates specified
explicitly
@@ -23453,15 +23463,18 @@ There is no equivalent checking on client certificates.
.cindex "certificate" "verification of server"
.vindex "&$host$&"
.vindex "&$host_address$&"
-The value of this option must be the absolute path to a file containing
-permitted server certificates, for use when setting up an encrypted connection.
-Alternatively,
-if you are using either GnuTLS version 3.3.6 (or later) or OpenSSL,
-you can set
-&%tls_verify_certificates%& to the name of a directory containing certificate
-files.
-For earlier versions of GnuTLS the option must be set to the name of a
-single file.
+The value of this option must be either the
+word "system"
+or the absolute path to
+a file or directory containing permitted certificates for servers,
+for use when setting up an encrypted connection.
+
+The "system" value for the option will use a location compiled into the SSL library.
+This is not available for GnuTLS versions preceding 3.0.20 and an explicit location
+must be specified.
+
+The use of a directory for the option value is not avilable for GnuTLS versions
+preceding 3.3.6 and a single file must be used.
With OpenSSL the certificates specified
explicitly
@@ -25949,8 +25962,9 @@ include files and libraries for GnuTLS can be found.
There are some differences in usage when using GnuTLS instead of OpenSSL:
.ilist
-The &%tls_verify_certificates%& option must contain the name of a file, not the
-name of a directory for GnuTLS versions before 3.3.6
+The &%tls_verify_certificates%& option
+cannot be the path of a directory
+for GnuTLS versions before 3.3.6
(for later versions, or OpenSSL, it can be either).
.next
The default value for &%tls_dhparam%& differs for historical reasons.
@@ -26302,8 +26316,10 @@ session with a client, you must set either &%tls_verify_hosts%& or
apply to all TLS connections. For any host that matches one of these options,
Exim requests a certificate as part of the setup of the TLS session. The
contents of the certificate are verified by comparing it with a list of
-expected certificates. These must be available in a file or,
-for OpenSSL only (not GnuTLS), a directory, identified by
+expected certificates.
+These may be the system default set (depending on library version),
+an explicit file or,
+depending on library version, a directory, identified by
&%tls_verify_certificates%&.
A file can contain multiple certificates, concatenated end to end. If a
@@ -26463,9 +26479,13 @@ if it requests it. If the server is Exim, it will request a certificate only if
&%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client.
If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it
+specified a collection of expected server certificates.
+These may be the system default set (depeding on library version),
+a file or,
+depnding on liibrary version, a directory,
must name a file or,
-for OpenSSL only (not GnuTLS), a directory, that contains a collection of
-expected server certificates. The client verifies the server's certificate
+for OpenSSL only (not GnuTLS), a directory.
+The client verifies the server's certificate
against this collection, taking into account any revoked certificates that are
in the list defined by &%tls_crl%&.
Failure to verify fails the TLS connection unless either of the
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 27abe4701..f2954b945 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -17,6 +17,10 @@ JH/04 Certificate name checking on server certificates, when exim is a client,
can be used to disable this per-host. The build option
EXPERIMENTAL_CERTNAMES is withdrawn.
+JH/05 The value of the tls_verify_certificates smtp transport and main options
+ can now be the word "system" to access the system default CA bundle.
+ For GnuTLS, only version 3.0.20 or later.
+
Exim version 4.85
-----------------