diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2020-12-09 15:34:00 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2020-12-09 15:34:00 +0100 |
| commit | 96c540042718e05161f03dd7edeaf0ae8820d3ce (patch) | |
| tree | 44e65a9b7e477d1a414426f71e936c6533c26297 /doc/pullimap.1.md | |
| parent | 34142cae2430d7b38a2542939709bbbc4a509703 (diff) | |
| parent | bb58678ba034e56f88db7202bf4e29ef3bd1bebd (diff) | |
Merge tag 'upstream/0.5.3' into debian
Upstream version 0.5.3
Diffstat (limited to 'doc/pullimap.1.md')
| -rw-r--r-- | doc/pullimap.1.md | 28 |
1 files changed, 17 insertions, 11 deletions
diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md index 5028a14..98ec2ef 100644 --- a/doc/pullimap.1.md +++ b/doc/pullimap.1.md @@ -216,25 +216,31 @@ Valid options are: *SSL_fingerprint* -: Fingerprint of the server certificate's Subject Public Key Info, in - the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by - default `sha256`). +: Space-separated list of acceptable fingerprints for the server + certificate's Subject Public Key Info, in the form + `[ALGO$]DIGEST_HEX` where `ALGO` is the digest algorithm (by default + `sha256`). Attempting to connect to a server with a non-matching certificate SPKI fingerprint causes `pullimap` to abort the connection during the SSL/TLS handshake. The following command can be used to compute the SHA-256 digest of a certificate's Subject Public Key Info: - openssl x509 -in /path/to/server/certificate.pem -pubkey \ - | openssl pkey -pubin -outform DER \ - | openssl dgst -sha256 + $ openssl x509 -in /path/to/server/certificate.pem -pubkey \ + | openssl pkey -pubin -outform DER \ + | openssl dgst -sha256 + + Specifying multiple digest values can be useful in key rollover + scenarios and/or when the server supports certificates of different + types (for instance RSA+ECDSA). In that case the connection is + aborted when none of the specified digests matches. *SSL_verify* : Whether to verify the server certificate chain. Note that using *SSL_fingerprint* to specify the fingerprint of the - server certificate is an orthogonal authentication measure as it - ignores the CA chain. + server certificate provides an independent server authentication + measure as it ignores the CA chain. (Default: `YES`.) *SSL_CApath* @@ -247,7 +253,7 @@ Valid options are: *SSL_CAfile* : File containing trusted certificates to use during server - certificate authentication if `SSL_verify=YES`. + certificate verification if `SSL_verify=YES`. Control flow {#control-flow} ============ @@ -369,8 +375,8 @@ Standards [RFC 4731]: https://tools.ietf.org/html/rfc4731 [INI file]: https://en.wikipedia.org/wiki/INI_file -[`fetchmail`(1)]: http://www.fetchmail.info/ +[`fetchmail`(1)]: https://www.fetchmail.info/ [`getmail`(1)]: http://pyropus.ca/software/getmail/ -[`write`(2)]: http://man7.org/linux/man-pages/man2/write.2.html +[`write`(2)]: https://man7.org/linux/man-pages/man2/write.2.html [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html [`verify`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/verify.html |