Update fetch.1 and fetch.3 to reflect libfetch's actual use of CA bundles
Reviewed by: wblock Approved by: wblock MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D5558
This commit is contained in:
parent
55b7402d49
commit
9533d74078
@ -1,6 +1,6 @@
|
||||
.\"-
|
||||
.\" Copyright (c) 1998-2013 Dag-Erling Smørgrav
|
||||
.\" Copyright (c) 2013 Michael Gmelin <freebsd@grem.de>
|
||||
.\" Copyright (c) 2013-2016 Michael Gmelin <freebsd@grem.de>
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
@ -26,7 +26,7 @@
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd November 29, 2015
|
||||
.Dd March 18, 2016
|
||||
.Dt FETCH 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -396,8 +396,15 @@ is currently unimplemented.
|
||||
.Sh HTTPS SCHEME
|
||||
Based on HTTP SCHEME.
|
||||
By default the peer is verified using the CA bundle located in
|
||||
.Pa /etc/ssl/cert.pem .
|
||||
The file may contain multiple CA certificates.
|
||||
.Pa /usr/local/etc/ssl/cert.pem .
|
||||
If this file does not exist,
|
||||
.Pa /etc/ssl/cert.pem
|
||||
is used instead.
|
||||
If neither file exists, and
|
||||
.Ev SSL_CA_CERT_PATH
|
||||
has not been set,
|
||||
OpenSSL's default CA cert and path settings apply.
|
||||
The certificate bundle can contain multiple CA certificates.
|
||||
A common source of a current CA bundle is
|
||||
.Pa \%security/ca_root_nss .
|
||||
.Pp
|
||||
@ -428,10 +435,11 @@ Client certificate based authentication is supported.
|
||||
The environment variable
|
||||
.Ev SSL_CLIENT_CERT_FILE
|
||||
should be set to point to a file containing key and client certificate
|
||||
to be used in PEM format. In case the key is stored in a separate
|
||||
file, the environment variable
|
||||
to be used in PEM format.
|
||||
When a PEM-format key is in a separate file from the client certificate,
|
||||
the environment variable
|
||||
.Ev SSL_CLIENT_KEY_FILE
|
||||
can be set to point to the key in PEM format.
|
||||
can be set to point to the key file.
|
||||
In case the key uses a password, the user will be prompted on standard
|
||||
input (see
|
||||
.Xr PEM 3 ) .
|
||||
@ -531,7 +539,7 @@ Invalid URL
|
||||
.El
|
||||
.Pp
|
||||
The accompanying error message includes a protocol-specific error code
|
||||
and message, e.g.\& "File is not available (404 Not Found)"
|
||||
and message, like "File is not available (404 Not Found)"
|
||||
.Sh ENVIRONMENT
|
||||
.Bl -tag -width ".Ev FETCH_BIND_ADDRESS"
|
||||
.It Ev FETCH_BIND_ADDRESS
|
||||
@ -648,8 +656,7 @@ for compatibility.
|
||||
Allow SSL version 3 when negotiating the connection (not recommended).
|
||||
.It Ev SSL_CA_CERT_FILE
|
||||
CA certificate bundle containing trusted CA certificates.
|
||||
Default value:
|
||||
.Pa /etc/ssl/cert.pem .
|
||||
Default value: See HTTPS SCHEME above.
|
||||
.It Ev SSL_CA_CERT_PATH
|
||||
Path containing trusted CA hashes.
|
||||
.It Ev SSL_CLIENT_CERT_FILE
|
||||
|
@ -1,6 +1,6 @@
|
||||
.\"-
|
||||
.\" Copyright (c) 2000-2014 Dag-Erling Smørgrav
|
||||
.\" Copyright (c) 2013 Michael Gmelin <freebsd@grem.de>
|
||||
.\" Copyright (c) 2013-2016 Michael Gmelin <freebsd@grem.de>
|
||||
.\" All rights reserved.
|
||||
.\" Portions Copyright (c) 1999 Massachusetts Institute of Technology; used
|
||||
.\" by permission.
|
||||
@ -30,7 +30,7 @@
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd March 25, 2015
|
||||
.Dd March 18, 2016
|
||||
.Dt FETCH 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -134,11 +134,17 @@ only.
|
||||
[SSL]
|
||||
Path to certificate bundle containing trusted CA certificates.
|
||||
If not specified,
|
||||
.Pa /etc/ssl/cert.pem
|
||||
.Pa /usr/local/etc/ssl/cert.pem
|
||||
is used.
|
||||
The file may contain multiple CA certificates. The port
|
||||
If this file does not exist,
|
||||
.Pa /etc/ssl/cert.pem
|
||||
is used instead.
|
||||
If neither file exists and no CA path has been configured,
|
||||
OpenSSL's default CA cert and path settings apply.
|
||||
The certificate bundle can contain multiple CA certificates.
|
||||
The
|
||||
.Pa security/ca_root_nss
|
||||
is a common source of a current CA bundle.
|
||||
port is a common source of a current CA bundle.
|
||||
.It Fl -ca-path= Ns Ar dir
|
||||
[SSL]
|
||||
The directory
|
||||
@ -218,10 +224,16 @@ altogether, or a comma- or whitespace-separated list of hosts for
|
||||
which proxies should not be used.
|
||||
.It Fl -no-sslv3
|
||||
[SSL]
|
||||
Don't allow SSL version 3 when negotiating the connection.
|
||||
Do not allow SSL version 3 when negotiating the connection.
|
||||
This option is deprecated and is provided for backward compatibility
|
||||
only.
|
||||
SSLv3 is disabled by default.
|
||||
Set
|
||||
.Ev SSL_ALLOW_SSL3
|
||||
to change this behavior.
|
||||
.It Fl -no-tlsv1
|
||||
[SSL]
|
||||
Don't allow TLS version 1 when negotiating the connection.
|
||||
Do not allow TLS version 1 when negotiating the connection.
|
||||
.It Fl -no-verify-hostname
|
||||
[SSL]
|
||||
Do not verify that the hostname matches the subject of the
|
||||
@ -351,8 +363,10 @@ for a description of additional environment variables, including
|
||||
.Ev SSL_CLIENT_CERT_FILE ,
|
||||
.Ev SSL_CLIENT_KEY_FILE ,
|
||||
.Ev SSL_CRL_FILE ,
|
||||
.Ev SSL_NO_SSL3 ,
|
||||
.Ev SSL_ALLOW_SSL3 ,
|
||||
.Ev SSL_NO_TLS1 ,
|
||||
.Ev SSL_NO_TLS1_1 ,
|
||||
.Ev SSL_NO_TLS1_2 ,
|
||||
.Ev SSL_NO_VERIFY_HOSTNAME
|
||||
and
|
||||
.Ev SSL_NO_VERIFY_PEER .
|
||||
|
Loading…
Reference in New Issue
Block a user