Clarify: tls_verify_certificates is for CA certs.

It can be used for individual user certs but is really intended for CAs. Note this, and explain that if the tls_verify_certificates value is a file, then the certs within are sent from the server to clients, thus is public data.
author: Phil Pennock <pdp@exim.org> 2011-01-16 22:21:37 -0500
committer: Phil Pennock <pdp@exim.org> 2011-01-16 22:21:37 -0500
commit: 6b8e6cb23ce5cc39a83c7fd0a373c79953351fec (patch)
tree: 56fdea46928e7093330f8ca345af3ada17479880 /doc
parent: fea24b2ea4e2c2a4b77d6fb222054e32e658b227 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 15b3a2b89..160410bd3 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15431,6 +15431,13 @@ are using OpenSSL, you can set &%tls_verify_certificates%& to the name of a
 directory containing certificate files. This does not work with GnuTLS; the
 option must be set to the name of a single file if you are using GnuTLS.
 
+These certificates should be for the certificate authorities trusted, rather
+than the public cert of individual clients.  With both OpenSSL and GnuTLS, if
+the value is a file then the certificates are sent by Exim as a server to
+connecting clients, defining the list of accepted certificate authorities.
+Thus the values defined should be considered public data.  To avoid this,
+use OpenSSL with a directory.
+
 
 .option tls_verify_hosts main "host list&!!" unset
 .cindex "TLS" "client certificate verification"
author	Phil Pennock <pdp@exim.org>	2011-01-16 22:21:37 -0500
committer	Phil Pennock <pdp@exim.org>	2011-01-16 22:21:37 -0500
commit	6b8e6cb23ce5cc39a83c7fd0a373c79953351fec (patch)
tree	56fdea46928e7093330f8ca345af3ada17479880 /doc
parent	fea24b2ea4e2c2a4b77d6fb222054e32e658b227 (diff)