TLS: document the update-ca-trust

This commit is contained in:
Nikos Mavrogiannopoulos 2016-07-21 14:39:56 +02:00
parent 3e6ed216b4
commit d5b32966c7

View file

@ -281,16 +281,17 @@
<para>
The client must configure the TLS library to use a set of
trusted root certificates. These certificates are provided
by the system in <filename
class="directory">/etc/ssl/certs</filename> or files derived
from it.
by the system in various formats and files. These are documented in <literal>update-ca-trust</literal>
man page in Fedora. Portable applications should not hard-code
any paths; they should rely on APIs which set the default
for the system trust store.
</para>
</listitem>
<listitem>
<para>
The client selects sufficiently strong cryptographic
primitives and disables insecure ones (such as no-op
encryption). Compression and SSL version 2 support must be
encryption). Compression support and SSL version 3 or lower must be
disabled (including the SSLv2-compatible handshake).
</para>
</listitem>
@ -546,7 +547,7 @@
linkend="ex-Defensive_Coding-TLS-GNUTLS-Disconnect"/>).
</para>
<example id="ex-Defensive_Coding-TLS-GNUTLS-Disconnect">
<title>Using a GNUTLS session</title>
<title>Closing a GNUTLS session in an orderly fashion</title>
<xi:include href="snippets/Features-TLS-GNUTLS-Disconnect.xml"
xmlns:xi="http://www.w3.org/2001/XInclude" />
</example>