]>
Commit | Line | Data |
---|---|---|
cfdaff25 GS |
1 | <?xml version="1.0" encoding="utf-8"?> |
2 | <dl> | |
3 | <dt><code>--bootstrap-ca-cert=</code><var>cacert.pem</var></dt> | |
4 | <dd> | |
5 | <p> | |
6 | When <var>cacert.pem</var> exists, this option has the same effect | |
7 | as <code>-C</code> or <code>--ca-cert</code>. If it does not exist, | |
8 | then the executable will attempt to obtain the CA certificate from the | |
9 | SSL peer on its first SSL connection and save it to the named PEM | |
10 | file. If it is successful, it will immediately drop the connection | |
11 | and reconnect, and from then on all SSL connections must be | |
12 | authenticated by a certificate signed by the CA certificate thus | |
13 | obtained. | |
14 | </p> | |
15 | <p> | |
16 | This option exposes the SSL connection to a man-in-the-middle | |
17 | attack obtaining the initial CA certificate, but it may be useful | |
18 | for bootstrapping. | |
19 | </p> | |
20 | <p> | |
21 | This option is only useful if the SSL peer sends its CA certificate as | |
22 | part of the SSL certificate chain. The SSL protocol does not require | |
23 | the server to send the CA certificate. | |
24 | </p> | |
25 | <p> | |
26 | This option is mutually exclusive with <code>-C</code> and | |
27 | <code>--ca-cert</code>. | |
28 | </p> | |
29 | </dd> | |
30 | </dl> |