diff options
Diffstat (limited to 'doc/doc-docbook/spec.xfpt')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 66 |
1 files changed, 43 insertions, 23 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 5bdf57282..dc7e4f75c 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16481,14 +16481,24 @@ See &%tls_verify_hosts%& below. .option tls_verify_certificates main string&!! unset .cindex "TLS" "client certificate verification" .cindex "certificate" "verification of client" -The value of this option is expanded, and must then be the absolute path to -a file containing permitted certificates for clients that -match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. Alternatively, if you -are using either GnuTLS version 3.3.6 (or later) or OpenSSL, -you can set &%tls_verify_certificates%& to the name of a -directory containing certificate files. -For earlier versions of GnuTLS -the option must be set to the name of a single file. +The value of this option is expanded, and must then be either the +word "system" +or the absolute path to +a file or directory containing permitted certificates for clients that +match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. + +The "system" value for the option will use a +system default location compiled into the SSL library. +This is not available for GnuTLS versions preceding 3.0.20 and an explicit location +must be specified. + +The use of a directory for the option value is not avilable for GnuTLS versions +preceding 3.3.6 and a single file must be used. + +With OpenSSL the certificates specified +explicitly +either by file or directory +are added to those given by the system default location. With OpenSSL the certificates specified explicitly @@ -23453,15 +23463,18 @@ There is no equivalent checking on client certificates. .cindex "certificate" "verification of server" .vindex "&$host$&" .vindex "&$host_address$&" -The value of this option must be the absolute path to a file containing -permitted server certificates, for use when setting up an encrypted connection. -Alternatively, -if you are using either GnuTLS version 3.3.6 (or later) or OpenSSL, -you can set -&%tls_verify_certificates%& to the name of a directory containing certificate -files. -For earlier versions of GnuTLS the option must be set to the name of a -single file. +The value of this option must be either the +word "system" +or the absolute path to +a file or directory containing permitted certificates for servers, +for use when setting up an encrypted connection. + +The "system" value for the option will use a location compiled into the SSL library. +This is not available for GnuTLS versions preceding 3.0.20 and an explicit location +must be specified. + +The use of a directory for the option value is not avilable for GnuTLS versions +preceding 3.3.6 and a single file must be used. With OpenSSL the certificates specified explicitly @@ -25949,8 +25962,9 @@ include files and libraries for GnuTLS can be found. There are some differences in usage when using GnuTLS instead of OpenSSL: .ilist -The &%tls_verify_certificates%& option must contain the name of a file, not the -name of a directory for GnuTLS versions before 3.3.6 +The &%tls_verify_certificates%& option +cannot be the path of a directory +for GnuTLS versions before 3.3.6 (for later versions, or OpenSSL, it can be either). .next The default value for &%tls_dhparam%& differs for historical reasons. @@ -26302,8 +26316,10 @@ session with a client, you must set either &%tls_verify_hosts%& or apply to all TLS connections. For any host that matches one of these options, Exim requests a certificate as part of the setup of the TLS session. The contents of the certificate are verified by comparing it with a list of -expected certificates. These must be available in a file or, -for OpenSSL only (not GnuTLS), a directory, identified by +expected certificates. +These may be the system default set (depending on library version), +an explicit file or, +depending on library version, a directory, identified by &%tls_verify_certificates%&. A file can contain multiple certificates, concatenated end to end. If a @@ -26463,9 +26479,13 @@ if it requests it. If the server is Exim, it will request a certificate only if &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client. If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it +specified a collection of expected server certificates. +These may be the system default set (depeding on library version), +a file or, +depnding on liibrary version, a directory, must name a file or, -for OpenSSL only (not GnuTLS), a directory, that contains a collection of -expected server certificates. The client verifies the server's certificate +for OpenSSL only (not GnuTLS), a directory. +The client verifies the server's certificate against this collection, taking into account any revoked certificates that are in the list defined by &%tls_crl%&. Failure to verify fails the TLS connection unless either of the |