]>
Commit | Line | Data |
---|---|---|
84ee7bcf BP |
1 | .IP "\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem\fR" |
2 | When \fIcacert.pem\fR exists, this option has the same effect as | |
3 | \fB\-C\fR or \fB\-\-ca\-cert\fR. If it does not exist, then | |
4 | \fB\*(PN\fR will attempt to obtain the CA certificate from the | |
5 | SSL peer on its first SSL connection and save it to the named PEM | |
6 | file. If it is successful, it will immediately drop the connection | |
7 | and reconnect, and from then on all SSL connections must be | |
8 | authenticated by a certificate signed by the CA certificate thus | |
9 | obtained. | |
10 | .IP | |
11 | \fBThis option exposes the SSL connection to a man-in-the-middle | |
12 | attack obtaining the initial CA certificate\fR, but it may be useful | |
13 | for bootstrapping. | |
14 | .IP | |
15 | This option is only useful if the SSL peer sends its CA certificate as | |
16 | part of the SSL certificate chain. The SSL protocol does not require | |
1d5aaa61 | 17 | the server to send the CA certificate. |
84ee7bcf | 18 | .IP |
4e312e69 | 19 | This option is mutually exclusive with \fB\-C\fR and |
84ee7bcf | 20 | \fB\-\-ca\-cert\fR. |