commit 7d9d3e15f5e8e3a82998dd74287b0021c1900aaa parent a2fe8c155a625b8242bd36870bc1e0c88b5f37bd Author: Oswald Buddenhagen <ossi@users.sf.net> Date: Mon, 18 Nov 2019 18:57:38 +0100 improve documentation of the server certificate related options Diffstat:
| M | src/mbsync.1 | | | 22 | +++++++++++++++------- |
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/src/mbsync.1 b/src/mbsync.1 @@ -371,18 +371,26 @@ Use old versions only when the server has problems with newer ones. .. .TP \fBSystemCertificates\fR \fByes\fR|\fBno\fR -Whether the system's default root cerificate store should be loaded. +Whether the system's default CA (certificate authority) certificate +store should be used to verify certificate trust chains. Disable this +if you want to trust only hand-picked certificates. (Default: \fByes\fR) .. .TP \fBCertificateFile\fR \fIpath\fR File containing additional X.509 certificates used to verify server -identities. Directly matched peer certificates are always trusted, -regardless of validity. -.br -Note that the system's default certificate store is always used -(unless \fBSystemCertificates\fR is disabled) -and should not be specified here. +identities. +These certificates are always trusted, regardless of validity. +.br +The certificates from this file are matched only against the received +server certificate itself; CA certificates are \fBnot\fR supported here. +Do \fBnot\fR specify the system's CA certificate store here; see +\fBSystemCertificates\fR instead. +.br +The contents for this file may be obtained using the +\fBmbsync-get-cert\fR tool; make sure to verify the fingerprints of the +certificates before trusting them, or transfer them securely from the +server's network (if it is trusted). .. .TP \fBClientCertificate\fR \fIpath\fR