docs-xml: add 'tls trust system cas' and 'tls ca directories' options

This will make it easier to support trusting more than one CA.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/docs-xml/smbdotconf/security/tlscadirs.xml b/docs-xml/smbdotconf/security/tlscadirs.xml
new file mode 100644 (file)
index 0000000..dc75cec
--- /dev/null
+++ b/docs-xml/smbdotconf/security/tlscadirs.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="tls ca directories"
+                 type="list"
+                 context="G"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+       <para>This option can be set to a list of directories with files (in PEM format)
+       containing CA certificates of root CAs to trust to sign
+       certificates or intermediate CA certificates.</para>
+ </description>
+
+ <related>tls trust system cas</related>
+ <related>tls cafile</related>
+ <related>tls crlfile</related>
+</samba:parameter>

diff --git a/docs-xml/smbdotconf/security/tlscafile.xml b/docs-xml/smbdotconf/security/tlscafile.xml
index bcbac62a417490954456bbfc04b3aedc8fcc1445..87a9454bba1f70b6ac8f48958c71d802075d68ee 100644 (file)
--- a/docs-xml/smbdotconf/security/tlscafile.xml
+++ b/docs-xml/smbdotconf/security/tlscafile.xml
@@ -11,6 +11,8 @@
         does not start with a /.</para>
  </description>
 
+ <related>tls trust system cas</related>
+ <related>tls ca directories</related>
  <related>tls certfile</related>
  <related>tls crlfile</related>
  <related>tls dh params file</related>

diff --git a/docs-xml/smbdotconf/security/tlstrustsystemcas.xml b/docs-xml/smbdotconf/security/tlstrustsystemcas.xml
new file mode 100644 (file)
index 0000000..cbadaa2
--- /dev/null
+++ b/docs-xml/smbdotconf/security/tlstrustsystemcas.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="tls trust system cas"
+                 type="boolean"
+                 context="G"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+       <para>With this option the system's default trusted CAs are
+       used to trust SSL/TLS connections.</para>
+
+       <para>Please use this with care, as it really means
+       trusting all CAs installed on the system!</para>
+ </description>
+
+ <related>tls ca directories</related>
+ <related>tls cafile</related>
+ <related>tls crlfile</related>
+ <value type="default">no</value>
+</samba:parameter>

diff --git a/docs-xml/smbdotconf/security/tlsverifypeer.xml b/docs-xml/smbdotconf/security/tlsverifypeer.xml
index 4f47dd4db0d32dd971b5f0a7e8eb19ca05c0c4eb..8ff7afaaf84ab62397efbf461e0c380c11e1f58b 100644 (file)
--- a/docs-xml/smbdotconf/security/tlsverifypeer.xml
+++ b/docs-xml/smbdotconf/security/tlsverifypeer.xml
@@ -19,7 +19,9 @@
 
        <para>When set to <constant>ca_only</constant> the certificate is verified to
        be signed from a ca specified in the <smbconfoption name="tls ca file"/> option.
-       Setting <smbconfoption name="tls ca file"/> to a valid file is required.
+       As alternative <smbconfoption name="tls ca directories"/> or
+       <smbconfoption name="tls trust system cas"/> can be used.
+       Providing at least one valid CA certificate is required.
        The certificate lifetime is also verified. If the <smbconfoption name="tls crl file"/>
        option is configured, the certificate is also verified against the ca crl.
        </para>
@@ -43,5 +45,9 @@
        </para>
 </description>
 
+ <related>tls trust system cas</related>
+ <related>tls ca directories</related>
+ <related>tls cafile</related>
+ <related>tls crlfile</related>
 <value type="default">as_strict_as_possible</value>
 </samba:parameter>