diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-10-16 19:11:45 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-10-16 19:11:45 +0100 |
| commit | a7fec7a71987d40dc09601ae33902d0a761887b9 (patch) | |
| tree | 50670d515f852f9893c723c355ec80199c3bc20d /doc | |
| parent | fe245072af3fdc4440da6cff246ac203a2759b09 (diff) | |
Handle certificate dir under GnuTLS, if recent enough
Add testcases for certificate directories
The GnuTLS implementation has been tested on Fedora 21 (alpha),
using GnuTLS 3.3.9. The testsuite case is here but with the
script commented-out. When enabled, the log/mail/stdout/stderr
files will be created fresh.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 21 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 3 |
2 files changed, 17 insertions, 7 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 9cfc06ca5..e3df0854e 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16484,9 +16484,11 @@ See &%tls_verify_hosts%& below. The value of this option is expanded, and must then be the absolute path to a file containing permitted certificates for clients that match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. Alternatively, if you -are using OpenSSL, you can set &%tls_verify_certificates%& to the name of a -directory containing certificate files. This does not work with GnuTLS; the -option must be set to the name of a single file if you are using GnuTLS. +are using either GnuTLS version 3.3.6 (or later) or OpenSSL, +you can set &%tls_verify_certificates%& to the name of a +directory containing certificate files. +For earlier versions of GnuTLS +the option must be set to the name of a single file. These certificates should be for the certificate authorities trusted, rather than the public cert of individual clients. With both OpenSSL and GnuTLS, if @@ -23432,10 +23434,14 @@ certificate verification succeeds. .vindex "&$host_address$&" The value of this option must be the absolute path to a file containing permitted server certificates, for use when setting up an encrypted connection. -Alternatively, if you are using OpenSSL, you can set +Alternatively, +if you are using either GnuTLS version 3.3.6 (or later) or OpenSSL, +you can set &%tls_verify_certificates%& to the name of a directory containing certificate -files. This does not work with GnuTLS; the option must be set to the name of a -single file if you are using GnuTLS. The values of &$host$& and +files. +For earlier versions of GnuTLS the option must be set to the name of a +single file. +The values of &$host$& and &$host_address$& are set to the name and address of the server during the expansion of this option. See chapter &<<CHAPTLS>>& for details of TLS. @@ -25917,7 +25923,8 @@ There are some differences in usage when using GnuTLS instead of OpenSSL: .ilist The &%tls_verify_certificates%& option must contain the name of a file, not the -name of a directory (for OpenSSL it can be either). +name of a directory for GnuTLS versions before 3.3.6 +(for later versions, or OpenSSL, it can be either). .next The default value for &%tls_dhparam%& differs for historical reasons. .next diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 0b03894b2..8b3dfe8c7 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -48,6 +48,9 @@ JH/06 Bug 1533: Fix truncation of items in headers_remove lists. A fixed size buffer was used, resulting in syntax errors when an expansion exceeded it. +JH/07 Add support for directories of certificates when compiled with a GnuTLS + version 3.3.6 or later. + Exim version 4.84 ----------------- |