lib/ssl-bootstrap.xml

   1 <?xml version="1.0" encoding="utf-8"?>
   2 <dl>
   3   <dt><code>--bootstrap-ca-cert=</code><var>cacert.pem</var></dt>
   4   <dd>
   5     <p>
   6       When <var>cacert.pem</var> exists, this option has the same effect
   7       as <code>-C</code> or <code>--ca-cert</code>. If it does not exist,
   8       then the executable will attempt to obtain the CA certificate from the
   9       SSL peer on its first SSL connection and save it to the named PEM
  10       file.  If it is successful, it will immediately drop the connection
  11       and reconnect, and from then on all SSL connections must be
  12       authenticated by a certificate signed by the CA certificate thus
  13       obtained.
  14     </p>
  15     <p>
  16       This option exposes the SSL connection to a man-in-the-middle
  17       attack obtaining the initial CA certificate, but it may be useful
  18       for bootstrapping.
  19     </p>
  20     <p>
  21       This option is only useful if the SSL peer sends its CA certificate as
  22       part of the SSL certificate chain.  The SSL protocol does not require
  23       the server to send the CA certificate.
  24     </p>
  25     <p>
  26       This option is mutually exclusive with <code>-C</code> and
  27       <code>--ca-cert</code>.
  28     </p>
  29   </dd>
  30 </dl>