Update fetch.1 and fetch.3 to reflect libfetch's actual use of CA bundles

Reviewed by:	wblock
Approved by:	wblock
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D5558
This commit is contained in:
grembo 2016-03-19 11:55:21 +00:00
parent 55b7402d49
commit 9533d74078
2 changed files with 39 additions and 18 deletions

View File

@ -1,6 +1,6 @@
.\"-
.\" Copyright (c) 1998-2013 Dag-Erling Smørgrav
.\" Copyright (c) 2013 Michael Gmelin <freebsd@grem.de>
.\" Copyright (c) 2013-2016 Michael Gmelin <freebsd@grem.de>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@ -26,7 +26,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd November 29, 2015
.Dd March 18, 2016
.Dt FETCH 3
.Os
.Sh NAME
@ -396,8 +396,15 @@ is currently unimplemented.
.Sh HTTPS SCHEME
Based on HTTP SCHEME.
By default the peer is verified using the CA bundle located in
.Pa /etc/ssl/cert.pem .
The file may contain multiple CA certificates.
.Pa /usr/local/etc/ssl/cert.pem .
If this file does not exist,
.Pa /etc/ssl/cert.pem
is used instead.
If neither file exists, and
.Ev SSL_CA_CERT_PATH
has not been set,
OpenSSL's default CA cert and path settings apply.
The certificate bundle can contain multiple CA certificates.
A common source of a current CA bundle is
.Pa \%security/ca_root_nss .
.Pp
@ -428,10 +435,11 @@ Client certificate based authentication is supported.
The environment variable
.Ev SSL_CLIENT_CERT_FILE
should be set to point to a file containing key and client certificate
to be used in PEM format. In case the key is stored in a separate
file, the environment variable
to be used in PEM format.
When a PEM-format key is in a separate file from the client certificate,
the environment variable
.Ev SSL_CLIENT_KEY_FILE
can be set to point to the key in PEM format.
can be set to point to the key file.
In case the key uses a password, the user will be prompted on standard
input (see
.Xr PEM 3 ) .
@ -531,7 +539,7 @@ Invalid URL
.El
.Pp
The accompanying error message includes a protocol-specific error code
and message, e.g.\& "File is not available (404 Not Found)"
and message, like "File is not available (404 Not Found)"
.Sh ENVIRONMENT
.Bl -tag -width ".Ev FETCH_BIND_ADDRESS"
.It Ev FETCH_BIND_ADDRESS
@ -648,8 +656,7 @@ for compatibility.
Allow SSL version 3 when negotiating the connection (not recommended).
.It Ev SSL_CA_CERT_FILE
CA certificate bundle containing trusted CA certificates.
Default value:
.Pa /etc/ssl/cert.pem .
Default value: See HTTPS SCHEME above.
.It Ev SSL_CA_CERT_PATH
Path containing trusted CA hashes.
.It Ev SSL_CLIENT_CERT_FILE

View File

@ -1,6 +1,6 @@
.\"-
.\" Copyright (c) 2000-2014 Dag-Erling Smørgrav
.\" Copyright (c) 2013 Michael Gmelin <freebsd@grem.de>
.\" Copyright (c) 2013-2016 Michael Gmelin <freebsd@grem.de>
.\" All rights reserved.
.\" Portions Copyright (c) 1999 Massachusetts Institute of Technology; used
.\" by permission.
@ -30,7 +30,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd March 25, 2015
.Dd March 18, 2016
.Dt FETCH 1
.Os
.Sh NAME
@ -134,11 +134,17 @@ only.
[SSL]
Path to certificate bundle containing trusted CA certificates.
If not specified,
.Pa /etc/ssl/cert.pem
.Pa /usr/local/etc/ssl/cert.pem
is used.
The file may contain multiple CA certificates. The port
If this file does not exist,
.Pa /etc/ssl/cert.pem
is used instead.
If neither file exists and no CA path has been configured,
OpenSSL's default CA cert and path settings apply.
The certificate bundle can contain multiple CA certificates.
The
.Pa security/ca_root_nss
is a common source of a current CA bundle.
port is a common source of a current CA bundle.
.It Fl -ca-path= Ns Ar dir
[SSL]
The directory
@ -218,10 +224,16 @@ altogether, or a comma- or whitespace-separated list of hosts for
which proxies should not be used.
.It Fl -no-sslv3
[SSL]
Don't allow SSL version 3 when negotiating the connection.
Do not allow SSL version 3 when negotiating the connection.
This option is deprecated and is provided for backward compatibility
only.
SSLv3 is disabled by default.
Set
.Ev SSL_ALLOW_SSL3
to change this behavior.
.It Fl -no-tlsv1
[SSL]
Don't allow TLS version 1 when negotiating the connection.
Do not allow TLS version 1 when negotiating the connection.
.It Fl -no-verify-hostname
[SSL]
Do not verify that the hostname matches the subject of the
@ -351,8 +363,10 @@ for a description of additional environment variables, including
.Ev SSL_CLIENT_CERT_FILE ,
.Ev SSL_CLIENT_KEY_FILE ,
.Ev SSL_CRL_FILE ,
.Ev SSL_NO_SSL3 ,
.Ev SSL_ALLOW_SSL3 ,
.Ev SSL_NO_TLS1 ,
.Ev SSL_NO_TLS1_1 ,
.Ev SSL_NO_TLS1_2 ,
.Ev SSL_NO_VERIFY_HOSTNAME
and
.Ev SSL_NO_VERIFY_PEER .