Testsuite: move CRL testcases away from using SHA1-signed certs

author: Jeremy Harris <jgh146exb@wizmail.org> 2017-12-18 15:38:54 +0000
committer: Jeremy Harris <jgh146exb@wizmail.org> 2017-12-18 16:23:07 +0000
commit: dc9c8f8b52cbf2e8424f5e98f63d29aa7fb81fe7 (patch)
tree: a76e6042d7fb65130815dd36ddae949fcf7a0a97 /doc
parent: 242583694aff4f43c3dbf7581b1100a68b3e0c11 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 4dc6491e5..9c011a989 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -17155,7 +17155,15 @@ generated for every connection.
 .cindex "TLS" "server certificate revocation list"
 .cindex "certificate" "revocation list for server"
 This option specifies a certificate revocation list. The expanded value must
-be the name of a file that contains a CRL in PEM format.
+be the name of a file that contains CRLs in PEM format.
+
+.new
+Under OpenSSL the option can specify a directory with CRL files.
+
+&*Note: Under OpenSSL the option must, if given, supply a CRL
+for each signing element of the certificate chain (i.e. all but the leaf).
+For the file variant this can be multiple PEM blocks in the one file.
+.wen
 
 See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.
author	Jeremy Harris <jgh146exb@wizmail.org>	2017-12-18 15:38:54 +0000
committer	Jeremy Harris <jgh146exb@wizmail.org>	2017-12-18 16:23:07 +0000
commit	dc9c8f8b52cbf2e8424f5e98f63d29aa7fb81fe7 (patch)
tree	a76e6042d7fb65130815dd36ddae949fcf7a0a97 /doc
parent	242583694aff4f43c3dbf7581b1100a68b3e0c11 (diff)