improve documentation of the server certificate related options

2019-11-18 18:57:38 +01:00 · 2019-11-18 18:57:38 +01:00 · 7d9d3e15f5
commit 7d9d3e15f5
parent a2fe8c155a
1 changed files with 14 additions and 6 deletions
--- a/src/mbsync.1
+++ b/src/mbsync.1
@ -371,18 +371,26 @@ Use old versions only when the server has problems with newer ones.
 ..
 .TP
 \fBSystemCertificates\fR \fByes\fR|\fBno\fR
-Whether the system's default root cerificate store should be loaded.
+Whether the system's default CA (certificate authority) certificate
 store should be used to verify certificate trust chains. Disable this
 if you want to trust only hand-picked certificates.
 (Default: \fByes\fR)
 ..
 .TP
 \fBCertificateFile\fR \fIpath\fR
 File containing additional X.509 certificates used to verify server
-identities. Directly matched peer certificates are always trusted,
+identities.
-regardless of validity.
+These certificates are always trusted, regardless of validity.
 .br
-Note that the system's default certificate store is always used
+The certificates from this file are matched only against the received
-(unless \fBSystemCertificates\fR is disabled)
+server certificate itself; CA certificates are \fBnot\fR supported here.
-and should not be specified here.
+Do \fBnot\fR specify the system's CA certificate store here; see
 \fBSystemCertificates\fR instead.
 .br
 The contents for this file may be obtained using the
 \fBmbsync-get-cert\fR tool; make sure to verify the fingerprints of the
 certificates before trusting them, or transfer them securely from the
 server's network (if it is trusted).
 ..
 .TP
 \fBClientCertificate\fR \fIpath\fR