diff options
author | grembo <grembo@FreeBSD.org> | 2016-06-06 11:08:05 +0000 |
---|---|---|
committer | grembo <grembo@FreeBSD.org> | 2016-06-06 11:08:05 +0000 |
commit | 7ef21bdc1b9ae1df0de83575c3ff9d441e1f41c6 (patch) | |
tree | 484dfe2722879c284dd9dd0102b3a72f5532b5ab /usr.bin | |
parent | 13d657a35d96e65f1be391830f36e1adff33534f (diff) | |
download | FreeBSD-src-7ef21bdc1b9ae1df0de83575c3ff9d441e1f41c6.zip FreeBSD-src-7ef21bdc1b9ae1df0de83575c3ff9d441e1f41c6.tar.gz |
MFC r297052:
Update fetch.1 and fetch.3 to reflect libfetch's actual use of CA bundles
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/fetch/fetch.1 | 30 |
1 files changed, 22 insertions, 8 deletions
diff --git a/usr.bin/fetch/fetch.1 b/usr.bin/fetch/fetch.1 index 615a1ad..5a12775 100644 --- a/usr.bin/fetch/fetch.1 +++ b/usr.bin/fetch/fetch.1 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2000-2014 Dag-Erling Smørgrav -.\" Copyright (c) 2013 Michael Gmelin <freebsd@grem.de> +.\" Copyright (c) 2013-2016 Michael Gmelin <freebsd@grem.de> .\" All rights reserved. .\" Portions Copyright (c) 1999 Massachusetts Institute of Technology; used .\" by permission. @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 25, 2015 +.Dd March 18, 2016 .Dt FETCH 1 .Os .Sh NAME @@ -134,11 +134,17 @@ only. [SSL] Path to certificate bundle containing trusted CA certificates. If not specified, -.Pa /etc/ssl/cert.pem +.Pa /usr/local/etc/ssl/cert.pem is used. -The file may contain multiple CA certificates. The port +If this file does not exist, +.Pa /etc/ssl/cert.pem +is used instead. +If neither file exists and no CA path has been configured, +OpenSSL's default CA cert and path settings apply. +The certificate bundle can contain multiple CA certificates. +The .Pa security/ca_root_nss -is a common source of a current CA bundle. +port is a common source of a current CA bundle. .It Fl -ca-path= Ns Ar dir [SSL] The directory @@ -218,10 +224,16 @@ altogether, or a comma- or whitespace-separated list of hosts for which proxies should not be used. .It Fl -no-sslv3 [SSL] -Don't allow SSL version 3 when negotiating the connection. +Do not allow SSL version 3 when negotiating the connection. +This option is deprecated and is provided for backward compatibility +only. +SSLv3 is disabled by default. +Set +.Ev SSL_ALLOW_SSL3 +to change this behavior. .It Fl -no-tlsv1 [SSL] -Don't allow TLS version 1 when negotiating the connection. +Do not allow TLS version 1 when negotiating the connection. .It Fl -no-verify-hostname [SSL] Do not verify that the hostname matches the subject of the @@ -351,8 +363,10 @@ for a description of additional environment variables, including .Ev SSL_CLIENT_CERT_FILE , .Ev SSL_CLIENT_KEY_FILE , .Ev SSL_CRL_FILE , -.Ev SSL_NO_SSL3 , +.Ev SSL_ALLOW_SSL3 , .Ev SSL_NO_TLS1 , +.Ev SSL_NO_TLS1_1 , +.Ev SSL_NO_TLS1_2 , .Ev SSL_NO_VERIFY_HOSTNAME and .Ev SSL_NO_VERIFY_PEER . |