diff options
author | Steffan Karger <steffan@karger.me> | 2015-05-24 11:45:40 +0200 |
---|---|---|
committer | Gert Doering <gert@greenie.muc.de> | 2015-05-24 13:42:18 +0200 |
commit | f4684ff2b5622a26c7c2e620e789b7dca8cfd778 (patch) | |
tree | fa758536a8841b07fa2820f6876fa0bfbd3f7034 | |
parent | 0322510375b5c54f63f5302b9088972d58b32b76 (diff) | |
download | openvpn-f4684ff2b5622a26c7c2e620e789b7dca8cfd778.tar.gz openvpn-f4684ff2b5622a26c7c2e620e789b7dca8cfd778.tar.xz openvpn-f4684ff2b5622a26c7c2e620e789b7dca8cfd778.zip |
Clarify --capath option in manpage
Prevent confusion as described in trac #422 by better explaining the
behaviour of --capath, and providing pointers to relevant openssl man
pages.
Attached are patches for the master and release/2.3 branches. The only
difference is that in the master patch, a line referencing the
requirement for OpenSSL 0.9.7 is removed, since master already requires
OpenSSL >= 0.9.8.
-Steffan
Content-Type: text/x-patch;
name="2.3-Clarify-capath-option-in-manpage.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="2.3-Clarify-capath-option-in-manpage.patch"
>From 3626088e146dbf959d7ec73f4e7cc5ab24c1ad57 Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Sun, 24 May 2015 11:18:34 +0200
Subject: [PATCH] Clarify --capath option in manpage
Prevent confusion as described in trac #422 by better explaining the
behaviour of --capath, and providing pointers to relevant openssl man
pages.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <55619DC4.2020108@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9732
Signed-off-by: Gert Doering <gert@greenie.muc.de>
-rw-r--r-- | doc/openvpn.8 | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 07219c3..b1c2fab 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4271,8 +4271,23 @@ they are distributed with OpenVPN, they are totally insecure. .TP .B \-\-capath dir Directory containing trusted certificates (CAs and CRLs). -Available with OpenSSL version >= 0.9.7 dev. Not available with PolarSSL. + +When using the +.B \-\-capath +option, you are required to supply valid CRLs for the CAs too. CAs in the +capath directory are expected to be named <hash>.<n>. CRLs are expected to +be named <hash>.r<n>. See the +.B -CApath +option of +.B openssl verify +, and the +.B -hash +option of +.B openssl x509 +and +.B openssl crl +for more information. .\"********************************************************* .TP .B \-\-dh file |