diff options
Diffstat (limited to 'doc/interimap.1.md')
-rw-r--r-- | doc/interimap.1.md | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/doc/interimap.1.md b/doc/interimap.1.md index f10ced6..7df0100 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -376,7 +376,8 @@ Valid options are: *null-stderr* : Whether to redirect *command*'s standard error to `/dev/null` for - `type=tunnel`. (Default: `NO`.) + `type=tunnel`. This option is ignored when the `--debug` flag is + set. (Default: `NO`.) *SSL_protocols* @@ -396,25 +397,31 @@ Valid options are: *SSL_fingerprint* -: Fingerprint of the server certificate's Subject Public Key Info, in - the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by - default `sha256`). +: Space-separated list of acceptable fingerprints for the server + certificate's Subject Public Key Info, in the form + `[ALGO$]DIGEST_HEX` where `ALGO` is the digest algorithm (by default + `sha256`). Attempting to connect to a server with a non-matching certificate SPKI fingerprint causes `interimap` to abort the connection during the SSL/TLS handshake. The following command can be used to compute the SHA-256 digest of a certificate's Subject Public Key Info: - openssl x509 -in /path/to/server/certificate.pem -pubkey \ - | openssl pkey -pubin -outform DER \ - | openssl dgst -sha256 + $ openssl x509 -in /path/to/server/certificate.pem -pubkey \ + | openssl pkey -pubin -outform DER \ + | openssl dgst -sha256 + + Specifying multiple digest values can be useful in key rollover + scenarios and/or when the server supports certificates of different + types (for instance RSA+ECDSA). In that case the connection is + aborted when none of the specified digests matches. *SSL_verify* : Whether to verify the server certificate chain. Note that using *SSL_fingerprint* to specify the fingerprint of the - server certificate is an orthogonal authentication measure as it - ignores the CA chain. + server certificate provides an independent server authentication + measure as it ignores the CA chain. (Default: `YES`.) *SSL_CApath* @@ -427,7 +434,7 @@ Valid options are: *SSL_CAfile* : File containing trusted certificates to use during server - certificate authentication if `SSL_verify=YES`. + certificate verification if `SSL_verify=YES`. Supported extensions {#supported-extensions} ==================== @@ -469,7 +476,7 @@ Known bugs and limitations * Because the [IMAP protocol][RFC 3501] doesn't provide a way for clients to determine whether a disappeared mailbox was deleted or renamed, `interimap` aborts when a known mailbox disappeared from one - server but not the other. The `--delete` (resp. `rename`) command + server but not the other. The `--delete` (resp. `--rename`) command should be used instead to delete (resp. rename) the mailbox on both servers as well as within `interimap`'s internal database. |