diff options
author | Steffan Karger <steffan@karger.me> | 2015-05-24 11:45:40 +0200 |
---|---|---|
committer | Gert Doering <gert@greenie.muc.de> | 2015-05-24 13:43:02 +0200 |
commit | 1009df7d51f3fb7f898b2155aa62b8f0336e49e6 (patch) | |
tree | 5a7a131e74a867b796f9fca8637f79e8fe29ae21 | |
parent | 1f5668671992dced602e89634e1890711877fdc4 (diff) | |
download | openvpn-1009df7d51f3fb7f898b2155aa62b8f0336e49e6.tar.gz openvpn-1009df7d51f3fb7f898b2155aa62b8f0336e49e6.tar.xz openvpn-1009df7d51f3fb7f898b2155aa62b8f0336e49e6.zip |
Clarify --capath option in manpage
Prevent confusion as described in trac #422 by better explaining the
behaviour of --capath, and providing pointers to relevant openssl man
pages.
Attached are patches for the master and release/2.3 branches. The only
difference is that in the master patch, a line referencing the
requirement for OpenSSL 0.9.7 is removed, since master already requires
OpenSSL >= 0.9.8.
-Steffan
>From 96e564e113cc26adf22e5d4b51d5754858610c3e Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Sun, 24 May 2015 11:20:11 +0200
Subject: [PATCH] Clarify --capath option in manpage
Prevent confusion as described in trac #422 by better explaining the
behaviour of --capath, and providing pointers to relevant openssl man
pages.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <55619DC4.2020108@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9732
Signed-off-by: Gert Doering <gert@greenie.muc.de>
-rw-r--r-- | doc/openvpn.8 | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 3940cdf..00f0383 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4225,6 +4225,22 @@ they are distributed with OpenVPN, they are totally insecure. Directory containing trusted certificates (CAs and CRLs). Available with OpenSSL version >= 0.9.7 dev. Not available with PolarSSL. + +When using the +.B \-\-capath +option, you are required to supply valid CRLs for the CAs too. CAs in the +capath directory are expected to be named <hash>.<n>. CRLs are expected to +be named <hash>.r<n>. See the +.B -CApath +option of +.B openssl verify +, and the +.B -hash +option of +.B openssl x509 +and +.B openssl crl +for more information. .\"********************************************************* .TP .B \-\-dh file |