1 files changed, 39 insertions, 20 deletions

diff --git a/doc/interimap.1.md b/doc/interimap.1.md
index 2d2a637..2d588ae 100644
--- a/doc/interimap.1.md
+++ b/doc/interimap.1.md
@@ -249,7 +249,7 @@ Valid options are:
     Two wildcards are available, and passed verbatim to the IMAP server:
     a ‘\*’ character matches zero or more characters, while a ‘%’
     character matches zero or more characters up to the hierarchy
-    delimiter.  Hardcoding the hierarchy delimiter in this setting is
+    delimiter.  Hard-coding the hierarchy delimiter in this setting is
     not advised because the server might silently change it at some
     point. A null character should be used instead.  For instance, if
     *list-mailbox* is set `"foo\x00bar"` then, assuming the hierarchy
@@ -309,7 +309,7 @@ Valid options are:
     `type=imap` and `type=imaps` are respectively used for IMAP and IMAP
     over SSL/TLS connections over an INET socket.
     `type=tunnel` causes `interimap` to create an unnamed pair of
-    connected sockets for interprocess communication with a *command*
+    connected sockets for inter-process communication with a *command*
     instead of opening a network socket.
     Note that specifying `type=tunnel` in the `[remote]` section makes
     the default *database* to be `localhost.db`.
@@ -383,19 +383,32 @@ Valid options are:
 
 *SSL_protocols*
 
-:   A space-separated list of SSL protocols to enable or disable (if
-    prefixed with an exclamation mark `!`.  Known protocols are `SSLv2`,
-    `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.  Enabling a
-    protocol is a short-hand for disabling all other protocols.
-    (Default: `!SSLv2 !SSLv3 !TLSv1 !TLSv1.1`, i.e., only enable TLSv1.2
-    and above.)
+:   Space-separated list of SSL/TLS protocol versions to explicitly
+    enable (or disable if prefixed with an exclamation mark `!`).
+    Potentially known protocols are `SSLv2`, `SSLv3`, `TLSv1`,
+    `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`, depending on the OpenSSL
+    version used.
+    Enabling a protocol is a short-hand for disabling all other
+    protocols.
 
-*SSL_cipher_list*
+    *DEPRECATED*: Use *SSL_protocol_min* and/or *SSL_protocol_max*
+    instead.
 
-:   The cipher list to send to the server.  Although the server
-    determines which cipher suite is used, it should take the first
-    supported cipher in the list sent by the client.  See
-    [`ciphers`(1ssl)] for more information.
+*SSL_protocol_min*, *SSL_protocol_max*
+
+:   Set minimum resp. maximum SSL/TLS protocol version to use for the
+    connection.  Potentially recognized values are `SSLv3`, `TLSv1`,
+    `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`, depending on the OpenSSL
+    version used.
+
+*SSL_cipherlist*, *SSL_ciphersuites*
+
+:   Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites.
+    The combination of these lists is sent to the server, which then
+    determines which cipher to use (normally the first supported one
+    from the list sent by the client).  The default suites depend on the
+    OpenSSL version and its configuration, see [`ciphers`(1ssl)] for
+    more information.
 
 *SSL_fingerprint*
 
@@ -415,12 +428,12 @@ Valid options are:
 
     Specifying multiple digest values can be useful in key rollover
     scenarios and/or when the server supports certificates of different
-    types (for instance RSA+ECDSA).  In that case the connection is
-    aborted when none of the specified digests matches.
+    types (for instance a dual-cert RSA/ECDSA setup).  In that case the
+    connection is aborted when none of the specified digests matches.
 
 *SSL_verify*
 
-:   Whether to verify the server certificate chain, and match its
+:   Whether to 1/ verify the server certificate chain; and 2/ match its
     Subject Alternative Name (SAN) or Subject CommonName (CN) against
     the value of the *host* option.
     (Default: `YES`.)
@@ -430,6 +443,14 @@ Valid options are:
     measure as it pins directly its key material and ignore its chain of
     trust.
 
+*SSL_CAfile*
+
+:   File containing trusted certificates to use during server
+    certificate verification when `SSL_verify=YES`.
+
+    Trusted CA certificates are loaded from the default system locations
+    unless one (or both) of *SSL_CAfile* or *SSL_CApath* is set.
+
 *SSL_CApath*
 
 :   Directory to use for server certificate verification when
@@ -437,10 +458,8 @@ Valid options are:
     This directory must be in “hash format”, see [`verify`(1ssl)] for
     more information.
 
-*SSL_CAfile*
-
-:   File containing trusted certificates to use during server
-    certificate verification when `SSL_verify=YES`.
+    Trusted CA certificates are loaded from the default system locations
+    unless one (or both) of *SSL_CAfile* or *SSL_CApath* is set.
 
 *SSL_hostname*