From 7d9d3e15f5e8e3a82998dd74287b0021c1900aaa Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Mon, 18 Nov 2019 18:57:38 +0100 Subject: [PATCH] improve documentation of the server certificate related options --- src/mbsync.1 | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/src/mbsync.1 b/src/mbsync.1 index 883fc4f..e4906b0 100644 --- a/src/mbsync.1 +++ b/src/mbsync.1 @@ -371,18 +371,26 @@ Use old versions only when the server has problems with newer ones. .. .TP \fBSystemCertificates\fR \fByes\fR|\fBno\fR -Whether the system's default root cerificate store should be loaded. +Whether the system's default CA (certificate authority) certificate +store should be used to verify certificate trust chains. Disable this +if you want to trust only hand-picked certificates. (Default: \fByes\fR) .. .TP \fBCertificateFile\fR \fIpath\fR File containing additional X.509 certificates used to verify server -identities. Directly matched peer certificates are always trusted, -regardless of validity. +identities. +These certificates are always trusted, regardless of validity. .br -Note that the system's default certificate store is always used -(unless \fBSystemCertificates\fR is disabled) -and should not be specified here. +The certificates from this file are matched only against the received +server certificate itself; CA certificates are \fBnot\fR supported here. +Do \fBnot\fR specify the system's CA certificate store here; see +\fBSystemCertificates\fR instead. +.br +The contents for this file may be obtained using the +\fBmbsync-get-cert\fR tool; make sure to verify the fingerprints of the +certificates before trusting them, or transfer them securely from the +server's network (if it is trusted). .. .TP \fBClientCertificate\fR \fIpath\fR