aboutsummaryrefslogtreecommitdiffstats
path: root/doc/interimap.1.md
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-12-09 15:34:00 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-12-09 15:34:00 +0100
commit96c540042718e05161f03dd7edeaf0ae8820d3ce (patch)
tree44e65a9b7e477d1a414426f71e936c6533c26297 /doc/interimap.1.md
parent34142cae2430d7b38a2542939709bbbc4a509703 (diff)
parentbb58678ba034e56f88db7202bf4e29ef3bd1bebd (diff)
Merge tag 'upstream/0.5.3' into debian
Upstream version 0.5.3
Diffstat (limited to 'doc/interimap.1.md')
-rw-r--r--doc/interimap.1.md29
1 files changed, 18 insertions, 11 deletions
diff --git a/doc/interimap.1.md b/doc/interimap.1.md
index f10ced6..7df0100 100644
--- a/doc/interimap.1.md
+++ b/doc/interimap.1.md
@@ -376,7 +376,8 @@ Valid options are:
*null-stderr*
: Whether to redirect *command*'s standard error to `/dev/null` for
- `type=tunnel`. (Default: `NO`.)
+ `type=tunnel`. This option is ignored when the `--debug` flag is
+ set. (Default: `NO`.)
*SSL_protocols*
@@ -396,25 +397,31 @@ Valid options are:
*SSL_fingerprint*
-: Fingerprint of the server certificate's Subject Public Key Info, in
- the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by
- default `sha256`).
+: Space-separated list of acceptable fingerprints for the server
+ certificate's Subject Public Key Info, in the form
+ `[ALGO$]DIGEST_HEX` where `ALGO` is the digest algorithm (by default
+ `sha256`).
Attempting to connect to a server with a non-matching certificate
SPKI fingerprint causes `interimap` to abort the connection during
the SSL/TLS handshake.
The following command can be used to compute the SHA-256 digest of a
certificate's Subject Public Key Info:
- openssl x509 -in /path/to/server/certificate.pem -pubkey \
- | openssl pkey -pubin -outform DER \
- | openssl dgst -sha256
+ $ openssl x509 -in /path/to/server/certificate.pem -pubkey \
+ | openssl pkey -pubin -outform DER \
+ | openssl dgst -sha256
+
+ Specifying multiple digest values can be useful in key rollover
+ scenarios and/or when the server supports certificates of different
+ types (for instance RSA+ECDSA). In that case the connection is
+ aborted when none of the specified digests matches.
*SSL_verify*
: Whether to verify the server certificate chain.
Note that using *SSL_fingerprint* to specify the fingerprint of the
- server certificate is an orthogonal authentication measure as it
- ignores the CA chain.
+ server certificate provides an independent server authentication
+ measure as it ignores the CA chain.
(Default: `YES`.)
*SSL_CApath*
@@ -427,7 +434,7 @@ Valid options are:
*SSL_CAfile*
: File containing trusted certificates to use during server
- certificate authentication if `SSL_verify=YES`.
+ certificate verification if `SSL_verify=YES`.
Supported extensions {#supported-extensions}
====================
@@ -469,7 +476,7 @@ Known bugs and limitations
* Because the [IMAP protocol][RFC 3501] doesn't provide a way for
clients to determine whether a disappeared mailbox was deleted or
renamed, `interimap` aborts when a known mailbox disappeared from one
- server but not the other. The `--delete` (resp. `rename`) command
+ server but not the other. The `--delete` (resp. `--rename`) command
should be used instead to delete (resp. rename) the mailbox on both
servers as well as within `interimap`'s internal database.