From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 13 Feb 2024 16:42:41 +0000 (+0100)
Subject: docs-xml: add 'tls trust system cas' and 'tls ca directories' options
X-Git-Tag: tdb-1.4.11~963
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0b84c97cf39c60706a637370e4856fc60671c3a8;p=thirdparty%2Fsamba.git

docs-xml: add 'tls trust system cas' and 'tls ca directories' options

This will make it easier to support trusting more than one CA.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/docs-xml/smbdotconf/security/tlscadirs.xml b/docs-xml/smbdotconf/security/tlscadirs.xml
new file mode 100644
index 00000000000..dc75cec3efa
--- /dev/null
+++ b/docs-xml/smbdotconf/security/tlscadirs.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="tls ca directories"
+                 type="list"
+                 context="G"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+	<para>This option can be set to a list of directories with files (in PEM format)
+	containing CA certificates of root CAs to trust to sign
+	certificates or intermediate CA certificates.</para>
+ </description>
+
+ <related>tls trust system cas</related>
+ <related>tls cafile</related>
+ <related>tls crlfile</related>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/tlscafile.xml b/docs-xml/smbdotconf/security/tlscafile.xml
index bcbac62a417..87a9454bba1 100644
--- a/docs-xml/smbdotconf/security/tlscafile.xml
+++ b/docs-xml/smbdotconf/security/tlscafile.xml
@@ -11,6 +11,8 @@
 	 does not start with a /.</para>
  </description>
 
+ <related>tls trust system cas</related>
+ <related>tls ca directories</related>
  <related>tls certfile</related>
  <related>tls crlfile</related>
  <related>tls dh params file</related>
diff --git a/docs-xml/smbdotconf/security/tlstrustsystemcas.xml b/docs-xml/smbdotconf/security/tlstrustsystemcas.xml
new file mode 100644
index 00000000000..cbadaa25609
--- /dev/null
+++ b/docs-xml/smbdotconf/security/tlstrustsystemcas.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="tls trust system cas"
+                 type="boolean"
+                 context="G"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+	<para>With this option the system's default trusted CAs are
+	used to trust SSL/TLS connections.</para>
+
+	<para>Please use this with care, as it really means
+	trusting all CAs installed on the system!</para>
+ </description>
+
+ <related>tls ca directories</related>
+ <related>tls cafile</related>
+ <related>tls crlfile</related>
+ <value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/tlsverifypeer.xml b/docs-xml/smbdotconf/security/tlsverifypeer.xml
index 4f47dd4db0d..8ff7afaaf84 100644
--- a/docs-xml/smbdotconf/security/tlsverifypeer.xml
+++ b/docs-xml/smbdotconf/security/tlsverifypeer.xml
@@ -19,7 +19,9 @@
 
 	<para>When set to <constant>ca_only</constant> the certificate is verified to
 	be signed from a ca specified in the <smbconfoption name="tls ca file"/> option.
-	Setting <smbconfoption name="tls ca file"/> to a valid file is required.
+	As alternative <smbconfoption name="tls ca directories"/> or
+	<smbconfoption name="tls trust system cas"/> can be used.
+	Providing at least one valid CA certificate is required.
 	The certificate lifetime is also verified. If the <smbconfoption name="tls crl file"/>
 	option is configured, the certificate is also verified against the ca crl.
 	</para>
@@ -43,5 +45,9 @@
 	</para>
 </description>
 
+ <related>tls trust system cas</related>
+ <related>tls ca directories</related>
+ <related>tls cafile</related>
+ <related>tls crlfile</related>
 <value type="default">as_strict_as_possible</value>
 </samba:parameter>