Make smtp transport try server cert verify by default

[users/jgh/exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index dc7e4f75c8470872b6426816071634e4bf61a843..b2b703b451ba60f9891a07d92700a4fb200eb778 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16478,7 +16478,7 @@ preference order of the available ciphers. Details are given in sections
 See &%tls_verify_hosts%& below.
 
 
-.option tls_verify_certificates main string&!! unset
+.option tls_verify_certificates main string&!! system
 .cindex "TLS" "client certificate verification"
 .cindex "certificate" "verification of client"
 The value of this option is expanded, and must then be either the
@@ -16489,7 +16489,8 @@ match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&.
 
 The "system" value for the option will use a
 system default location compiled into the SSL library.
-This is not available for GnuTLS versions preceding 3.0.20 and an explicit location
+This is not available for GnuTLS versions preceding 3.0.20,
+and will be taken as empty; an explicit location
 must be specified.
 
 The use of a directory for the option value is not avilable for GnuTLS versions
@@ -23432,7 +23433,7 @@ unknown state), opens a new one to the same host, and then tries the delivery
 in clear.
 
 
-.option tls_try_verify_hosts smtp "host list&!!" unset
+.option tls_try_verify_hosts smtp "host list&!!" *
 .cindex "TLS" "server certificate verification"
 .cindex "certificate" "verification of server"
 This option gives a list of hosts for which, on encrypted connections,
@@ -23458,7 +23459,7 @@ limited to being the initial component of a 3-or-more component FQDN.
 There is no equivalent checking on client certificates.
 
 
-.option tls_verify_certificates smtp string&!! unset
+.option tls_verify_certificates smtp string&!! system
 .cindex "TLS" "server certificate verification"
 .cindex "certificate" "verification of server"
 .vindex "&$host$&"
@@ -23470,7 +23471,8 @@ a file or directory containing permitted certificates for servers,
 for use when setting up an encrypted connection.
 
 The "system" value for the option will use a location compiled into the SSL library.
-This is not available for GnuTLS versions preceding 3.0.20 and an explicit location
+This is not available for GnuTLS versions preceding 3.0.20; a value of "system"
+is taken as empty and an explicit location
 must be specified.
 
 The use of a directory for the option value is not avilable for GnuTLS versions
@@ -23487,6 +23489,7 @@ expansion of this option. See chapter &<<CHAPTLS>>& for details of TLS.
 
 For back-compatability,
 if neither tls_verify_hosts nor tls_try_verify_hosts are set
+(a single-colon empty list counts as being set)
 and certificate verification fails the TLS connection is closed.
 
 
@@ -26479,7 +26482,7 @@ if it requests it. If the server is Exim, it will request a certificate only if
 &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client.
 
 If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it
-specified a collection of expected server certificates.
+specifies a collection of expected server certificates.
 These may be the system default set (depeding on library version),
 a file or,
 depnding on liibrary version, a directory,