aboutsummaryrefslogtreecommitdiffstats
path: root/doc/pullimap.1.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/pullimap.1.md')
-rw-r--r--doc/pullimap.1.md28
1 files changed, 17 insertions, 11 deletions
diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md
index 5028a14..98ec2ef 100644
--- a/doc/pullimap.1.md
+++ b/doc/pullimap.1.md
@@ -216,25 +216,31 @@ Valid options are:
*SSL_fingerprint*
-: Fingerprint of the server certificate's Subject Public Key Info, in
- the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by
- default `sha256`).
+: Space-separated list of acceptable fingerprints for the server
+ certificate's Subject Public Key Info, in the form
+ `[ALGO$]DIGEST_HEX` where `ALGO` is the digest algorithm (by default
+ `sha256`).
Attempting to connect to a server with a non-matching certificate
SPKI fingerprint causes `pullimap` to abort the connection during
the SSL/TLS handshake.
The following command can be used to compute the SHA-256 digest of a
certificate's Subject Public Key Info:
- openssl x509 -in /path/to/server/certificate.pem -pubkey \
- | openssl pkey -pubin -outform DER \
- | openssl dgst -sha256
+ $ openssl x509 -in /path/to/server/certificate.pem -pubkey \
+ | openssl pkey -pubin -outform DER \
+ | openssl dgst -sha256
+
+ Specifying multiple digest values can be useful in key rollover
+ scenarios and/or when the server supports certificates of different
+ types (for instance RSA+ECDSA). In that case the connection is
+ aborted when none of the specified digests matches.
*SSL_verify*
: Whether to verify the server certificate chain.
Note that using *SSL_fingerprint* to specify the fingerprint of the
- server certificate is an orthogonal authentication measure as it
- ignores the CA chain.
+ server certificate provides an independent server authentication
+ measure as it ignores the CA chain.
(Default: `YES`.)
*SSL_CApath*
@@ -247,7 +253,7 @@ Valid options are:
*SSL_CAfile*
: File containing trusted certificates to use during server
- certificate authentication if `SSL_verify=YES`.
+ certificate verification if `SSL_verify=YES`.
Control flow {#control-flow}
============
@@ -369,8 +375,8 @@ Standards
[RFC 4731]: https://tools.ietf.org/html/rfc4731
[INI file]: https://en.wikipedia.org/wiki/INI_file
-[`fetchmail`(1)]: http://www.fetchmail.info/
+[`fetchmail`(1)]: https://www.fetchmail.info/
[`getmail`(1)]: http://pyropus.ca/software/getmail/
-[`write`(2)]: http://man7.org/linux/man-pages/man2/write.2.html
+[`write`(2)]: https://man7.org/linux/man-pages/man2/write.2.html
[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html
[`verify`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/verify.html