Docs: Mention issues with TLS client cert and Exim <= 4.85

[users/heiko/exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 31c8c5653a573fdc9dc2cd82cd317bd6696955be..c865e111bb125bde2427c2013964efa5a4a35e30 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -18489,7 +18489,9 @@ than the public cert of individual clients.  With both OpenSSL and GnuTLS, if
 the value is a file then the certificates are sent by Exim as a server to
 connecting clients, defining the list of accepted certificate authorities.
 Thus the values defined should be considered public data.  To avoid this,
-use the explicit directory version.
+use the explicit directory version. (If your peer is Exim up to 4.85,
+using GnuTLS, you may need to send the CAs (thus using the file
+variant). Otherwise the peer doesn't send its certificate.)
 
 See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.
 
@@ -29308,7 +29310,7 @@ then the associated information is loaded at daemon startup.
 It is made available
 to child processes forked for handling received SMTP connections.
 
-This caching is currently only supported under Linux.
+This caching is currently only supported under Linux and FreeBSD.
 
 If caching is not possible, for example if an item has to be dependent
 on the peer host so contains a &$sender_host_name$& expansion, the load
@@ -29320,7 +29322,7 @@ containing files specified by these options.
 The information specified by the main option &%tls_verify_certificates%&
 is similarly cached so long as it specifies files explicitly
 or (under GnuTLS) is the string &"system,cache"&.
-The latter case is not automatically invaludated;
+The latter case is not automatically invalidated;
 it is the operator's responsibility to arrange for a daemon restart
 any time the system certificate authority bundle is updated.
 A HUP signal is sufficient for this.