From: Steffan Karger Date: Sun, 24 May 2015 09:45:40 +0000 (+0200) Subject: Clarify --capath option in manpage X-Git-Tag: v2.3.7~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1009df7d51f3fb7f898b2155aa62b8f0336e49e6;p=thirdparty%2Fopenvpn.git Clarify --capath option in manpage Prevent confusion as described in trac #422 by better explaining the behaviour of --capath, and providing pointers to relevant openssl man pages. Attached are patches for the master and release/2.3 branches. The only difference is that in the master patch, a line referencing the requirement for OpenSSL 0.9.7 is removed, since master already requires OpenSSL >= 0.9.8. -Steffan >From 96e564e113cc26adf22e5d4b51d5754858610c3e Mon Sep 17 00:00:00 2001 From: Steffan Karger Date: Sun, 24 May 2015 11:20:11 +0200 Subject: [PATCH] Clarify --capath option in manpage Prevent confusion as described in trac #422 by better explaining the behaviour of --capath, and providing pointers to relevant openssl man pages. Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <55619DC4.2020108@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/9732 Signed-off-by: Gert Doering --- diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 3940cdf6a..00f038305 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4225,6 +4225,22 @@ they are distributed with OpenVPN, they are totally insecure. Directory containing trusted certificates (CAs and CRLs). Available with OpenSSL version >= 0.9.7 dev. Not available with PolarSSL. + +When using the +.B \-\-capath +option, you are required to supply valid CRLs for the CAs too. CAs in the +capath directory are expected to be named .. CRLs are expected to +be named .r. See the +.B -CApath +option of +.B openssl verify +, and the +.B -hash +option of +.B openssl x509 +and +.B openssl crl +for more information. .\"********************************************************* .TP .B \-\-dh file