From 8c43ed9baa905d907a6aad77de2282a852ba69a9 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 13 Dec 2020 17:43:52 +0100
Subject: libinterimap: use default locations for trusted CA certificates when
 neither CAfile nor CApath are set.

In particular, OpenSSL's default locations can be overridden by the
SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see
SSL_CTX_load_verify_locations(3ssl).

This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is
used).
---
 doc/interimap.1.md | 14 ++++++++++----
 doc/pullimap.1.md  | 14 ++++++++++----
 2 files changed, 20 insertions(+), 8 deletions(-)

(limited to 'doc')

diff --git a/doc/interimap.1.md b/doc/interimap.1.md
index 2310cb3..63d5ab0 100644
--- a/doc/interimap.1.md
+++ b/doc/interimap.1.md
@@ -439,6 +439,14 @@ Valid options are:
     measure as it pins directly its key material and ignore its chain of
     trust.
 
+*SSL_CAfile*
+
+:   File containing trusted certificates to use during server
+    certificate verification when `SSL_verify=YES`.
+
+    Trusted CA certificates are loaded from the default system locations
+    unless one (or both) of *SSL_CAfile* or *SSL_CApath* is set.
+
 *SSL_CApath*
 
 :   Directory to use for server certificate verification when
@@ -446,10 +454,8 @@ Valid options are:
     This directory must be in “hash format”, see [`verify`(1ssl)] for
     more information.
 
-*SSL_CAfile*
-
-:   File containing trusted certificates to use during server
-    certificate verification when `SSL_verify=YES`.
+    Trusted CA certificates are loaded from the default system locations
+    unless one (or both) of *SSL_CAfile* or *SSL_CApath* is set.
 
 *SSL_hostname*
 
diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md
index cf6ec52..05cbcaf 100644
--- a/doc/pullimap.1.md
+++ b/doc/pullimap.1.md
@@ -258,6 +258,14 @@ Valid options are:
     measure as it pins directly its key material and ignore its chain of
     trust.
 
+*SSL_CAfile*
+
+:   File containing trusted certificates to use during server
+    certificate verification when `SSL_verify=YES`.
+
+    Trusted CA certificates are loaded from the default system locations
+    unless one (or both) of *SSL_CAfile* or *SSL_CApath* is set.
+
 *SSL_CApath*
 
 :   Directory to use for server certificate verification when
@@ -265,10 +273,8 @@ Valid options are:
     This directory must be in “hash format”, see [`verify`(1ssl)] for
     more information.
 
-*SSL_CAfile*
-
-:   File containing trusted certificates to use during server
-    certificate verification when `SSL_verify=YES`.
+    Trusted CA certificates are loaded from the default system locations
+    unless one (or both) of *SSL_CAfile* or *SSL_CApath* is set.
 
 *SSL_hostname*
 
-- 
cgit v1.2.3