From 07af267efb085ad25e9ec81eb4c6b11364acdcd1 Mon Sep 17 00:00:00 2001 From: Nigel Metheringham Date: Mon, 26 Oct 2009 13:14:23 +0000 Subject: [PATCH] TLS documentation bugfixes Fixes: #888 --- doc/doc-docbook/spec.xfpt | 17 ++++++++++------- doc/doc-txt/ChangeLog | 4 +++- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index f90427020..62a07ad75 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1,4 +1,4 @@ -. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.62 2009/10/26 13:10:23 nm4 Exp $ +. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.63 2009/10/26 13:14:23 nm4 Exp $ . . ///////////////////////////////////////////////////////////////////////////// . This is the primary source of the Exim Manual. It is an xfpt document that is @@ -24454,13 +24454,10 @@ unencrypted. The &%tls_certificate%& and &%tls_privatekey%& options of the &(smtp)& transport provide the client with a certificate, which is passed to the server if it requests it. If the server is Exim, it will request a certificate only if -&%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client. &*Note*&: -These options must be set in the &(smtp)& transport for Exim to use TLS when it -is operating as a client. Exim does not assume that a server certificate (set -by the global options of the same name) should also be used when operating as a -client. +&%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client. -If &%tls_verify_certificates%& is set, it must name a file or, +If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it +must name a file or, for OpenSSL only (not GnuTLS), a directory, that contains a collection of expected server certificates. The client verifies the server's certificate against this collection, taking into account any revoked certificates that are @@ -24472,6 +24469,12 @@ list of permitted cipher suites. If either of these checks fails, delivery to the current host is abandoned, and the &(smtp)& transport tries to deliver to alternative hosts, if any. + &*Note*&: +These options must be set in the &(smtp)& transport for Exim to use TLS when it +is operating as a client. Exim does not assume that a server certificate (set +by the global options of the same name) should also be used when operating as a +client. + .vindex "&$host$&" .vindex "&$host_address$&" All the TLS options in the &(smtp)& transport are expanded before use, with diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 95b20a230..38260c0a6 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.580 2009/10/26 13:10:23 nm4 Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.581 2009/10/26 13:14:23 nm4 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -134,6 +134,8 @@ NM/28 Bugzilla 807: Improvements to LMTP delivery logging NM/29 Bugzilla 862, 866, 875: Documentation bugfixes +NM/30 Bugzilla 888: TLS documentation bugfixes + Exim version 4.69 ----------------- -- 2.25.1