aboutsummaryrefslogtreecommitdiffstats
path: root/interimap.1
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2015-09-13 14:04:03 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-09-13 14:47:07 +0200
commit35ab0d8661b6808a9132bde20eefcf07f1486093 (patch)
tree42ec4983a078aba283bc060ffd7ba24e73c689d4 /interimap.1
parenta4729170cffc902319b08bae86e1ab6e20a7939d (diff)
Replace IO::Socket::SSL dependency by the lower level Net::SSLeay.
Also, * Rename the 'SSL_verify_trusted_peer', 'SSL_ca_path', and 'SSL_cipher_list' options to 'SSL_CApath', 'SSL_verify' and 'SSL_cipherlist', respectively. * Add an option 'SSL_CAfile' to specify a file containing trusted certificates to use during server certificate authentication. * Replace Compress::Zlib dependency by the lower level Compress::Raw::Zlib.
Diffstat (limited to 'interimap.1')
-rw-r--r--interimap.163
1 files changed, 36 insertions, 27 deletions
diff --git a/interimap.1 b/interimap.1
index 988fa16..7ac8204 100644
--- a/interimap.1
+++ b/interimap.1
@@ -282,33 +282,6 @@ pre\-authenticated connections, depending on the chosen authentication
mechanism.
.TP
-.I SSL_cipher_list
-Cipher list to use for the connection.
-See \fIciphers\fR(1ssl) for the format of such list.
-
-.TP
-.I SSL_fingerprint
-Fingerprint of the server certificate in the form
-\fIALGO\fR$\fIDIGEST_HEX\fR, where \fIALGO\fR is the used algorithm
-(default \(lqsha256\(rq).
-Attempting to connect to a server with a non-matching certificate
-fingerprint causes \fBInterIMAP\fR to abort the connection immediately
-after the SSL/TLS handshake.
-
-.TP
-.I SSL_verify_trusted_peer
-Whether to verify that the peer certificate has been signed by a trusted
-Certificate Authority. Note that using \fISSL_fingerprint\fR to specify
-the fingerprint of the server certificate is orthogonal and does not
-rely on Certificate Authorities.
-(Default: \(lqYES\(rq.)
-
-.TP
-.I SSL_ca_path
-Directory containing the certificate(s) of the trusted Certificate
-Authorities, used for server certificate verification.
-
-.TP
.I compress
Whether to use the IMAP COMPRESS extension [RFC4978] for servers
advertizing it.
@@ -333,6 +306,42 @@ This option is only available in the default section, and is ignored if
either server does not advertize \(lqBINARY\(rq in its capability list.
(Default: \(lqYES\(rq.)
+.TP
+.I SSL_cipher_list
+The cipher list to send to the server. Although the server determines
+which cipher suite is used, it should take the first supported cipher in
+the list sent by the client. See \fBciphers\fR(1ssl) for more
+information.
+
+.TP
+.I SSL_fingerprint
+Fingerprint of the server certificate (or its public key) in the form
+\fIALGO\fR$\fIDIGEST_HEX\fR, where \fIALGO\fR is the used algorithm
+(default \(lqsha256\(rq).
+Attempting to connect to a server with a non-matching certificate
+fingerprint causes \fBInterIMAP\fR to abort the connection immediately
+after the SSL/TLS handshake.
+
+.TP
+.I SSL_verify
+Whether to verify the server certificate chain.
+Note that using \fISSL_fingerprint\fR to specify the fingerprint of the
+server certificate is an orthogonal authentication measure as it ignores
+the CA chain.
+(Default: \(lqYES\(rq.)
+
+.TP
+.I SSL_CApath
+Directory to use for server certificate verification if
+\(lq\fISSL_verify\fR=YES\(rq.
+This directory must be in \(lqhash format\(rq, see \fBverify\fR(1ssl)
+for more information.
+
+.TP
+.I SSL_CAfile
+File containing trusted certificates to use during server certificate
+authentication if \(lq\fISSL_verify\fR=YES\(rq.
+
.SH SUPPORTED EXTENSIONS
Performance is better for servers supporting the following extensions to