--version: print default cert paths, and document SSL_CERT_* in manpage

When Gene Heskett was updating his OpenSSL on Debian oldstable, we figured
that it might be helpful to print where OpenSSL goes look for the trusted
certificate. Add this information.

Also add documentation of OpenSSL's SSL_CERT_DIR/SSL_CERT_FILE environment
variables.

1 files changed, 6 insertions, 2 deletions

diff --git a/README.SSL b/README.SSL
index 6c85eb38..9cbb50ce 100644
--- a/README.SSL
+++ b/README.SSL
@@ -31,7 +31,7 @@ Use an up-to-date release of OpenSSL v1.1.1 or newer, so as to get
 TLSv1.3 support.  Older OpenSSL versions are unsupported upstream, and 
 fetchmail rejects versions before v1.0.2 and warns about versions before v1.1.1.
 
-In all four examples below, the (--)sslcertck has become redunant
+In all four examples below, the (--)sslcertck has become redundant
 since fetchmail v6.4.0 but since fetchmail 6.3 releases will be in circulation
 for a while, we'll leave it here to be safe.
 
@@ -99,8 +99,12 @@ you put the CA's certificate into a directory where you keep trusted
 certificates, and point fetchmail to it. Fetchmail will then accept 
 certificates signed by the owner of that certificate with the private key 
 belonging to the public key in the certificate.
-You can specify this path using the "sslcertpath" option if it is 
+  You can specify this path using the "sslcertpath" option if it is 
 different from the one OpenSSL uses by default.
+  Alternatively, a "bundle" file (a concatenation of trusted certificates in PEM
+form) can be given, using the "sslcertfile". 
+  fetchmail 6.4.16 and newer will print the default locations where the SSL
+library looks when run as fetchmail -V or fetchmail --version.
 
 The idea is that the CA only gives certificates to entities whose identity it 
 has checked and verified (and in this case, that the server name you specify