diff options
Diffstat (limited to 'README.SSL')
| -rw-r--r-- | README.SSL | 8 |
1 files changed, 6 insertions, 2 deletions
@@ -31,7 +31,7 @@ Use an up-to-date release of OpenSSL v1.1.1 or newer, so as to get TLSv1.3 support. Older OpenSSL versions are unsupported upstream, and fetchmail rejects versions before v1.0.2 and warns about versions before v1.1.1. -In all four examples below, the (--)sslcertck has become redunant +In all four examples below, the (--)sslcertck has become redundant since fetchmail v6.4.0 but since fetchmail 6.3 releases will be in circulation for a while, we'll leave it here to be safe. @@ -99,8 +99,12 @@ you put the CA's certificate into a directory where you keep trusted certificates, and point fetchmail to it. Fetchmail will then accept certificates signed by the owner of that certificate with the private key belonging to the public key in the certificate. -You can specify this path using the "sslcertpath" option if it is + You can specify this path using the "sslcertpath" option if it is different from the one OpenSSL uses by default. + Alternatively, a "bundle" file (a concatenation of trusted certificates in PEM +form) can be given, using the "sslcertfile". + fetchmail 6.4.16 and newer will print the default locations where the SSL +library looks when run as fetchmail -V or fetchmail --version. The idea is that the CA only gives certificates to entities whose identity it has checked and verified (and in this case, that the server name you specify |