This will make it easier to support trusting more than one CA.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
--- /dev/null
+<samba:parameter name="tls ca directories"
+ type="list"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>This option can be set to a list of directories with files (in PEM format)
+ containing CA certificates of root CAs to trust to sign
+ certificates or intermediate CA certificates.</para>
+ </description>
+
+ <related>tls trust system cas</related>
+ <related>tls cafile</related>
+ <related>tls crlfile</related>
+</samba:parameter>
does not start with a /.</para>
</description>
+ <related>tls trust system cas</related>
+ <related>tls ca directories</related>
<related>tls certfile</related>
<related>tls crlfile</related>
<related>tls dh params file</related>
--- /dev/null
+<samba:parameter name="tls trust system cas"
+ type="boolean"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>With this option the system's default trusted CAs are
+ used to trust SSL/TLS connections.</para>
+
+ <para>Please use this with care, as it really means
+ trusting all CAs installed on the system!</para>
+ </description>
+
+ <related>tls ca directories</related>
+ <related>tls cafile</related>
+ <related>tls crlfile</related>
+ <value type="default">no</value>
+</samba:parameter>
<para>When set to <constant>ca_only</constant> the certificate is verified to
be signed from a ca specified in the <smbconfoption name="tls ca file"/> option.
- Setting <smbconfoption name="tls ca file"/> to a valid file is required.
+ As alternative <smbconfoption name="tls ca directories"/> or
+ <smbconfoption name="tls trust system cas"/> can be used.
+ Providing at least one valid CA certificate is required.
The certificate lifetime is also verified. If the <smbconfoption name="tls crl file"/>
option is configured, the certificate is also verified against the ca crl.
</para>
</para>
</description>
+ <related>tls trust system cas</related>
+ <related>tls ca directories</related>
+ <related>tls cafile</related>
+ <related>tls crlfile</related>
<value type="default">as_strict_as_possible</value>
</samba:parameter>