patches: more minor updates

[git-osx-installer.git] / patches / curl / q / t_docs_manpage.diff

Subject: [PATCH] curl.1: update to match code

The curl.1 man page contains various information that is actually
misleading about the version of darwinssl (SecureTransport) code
included in this build.

Update it to provide accurate information.

Signed-off-by: Kyle J. McKay <mackyle@gmail.com>

---
 docs/curl.1 | 82 +++++++++++++++++++++++++------------------------------------
 1 file changed, 33 insertions(+), 49 deletions(-)

diff --git a/docs/curl.1 b/docs/curl.1
index f5375ed7..be997c9e 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -18,6 +18,9 @@
 .\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 .\" * KIND, either express or implied.
 .\" *
+.\" * Updates for improved DarwinSSL vtls Copyright (C) 2016 Kyle J. McKay.
+.\" * All rights reserved.
+.\" *
 .\" **************************************************************************
 .\"
 .TH curl 1 "30 Nov 2014" "Curl 7.40.0" "Curl Manual"
@@ -330,6 +333,9 @@ List that may specify peer certificates that are to be considered revoked.
 
 If this option is used several times, the last one will be used.
 
+This option is NOT supported in this build.  Certificates may be added to the
+System keychain and marked as "Never Trust" as an alternative.
+
 (Added in 7.19.7)
 .IP "-d, --data <data>"
 (HTTP) Sends the specified data in a POST request to the HTTP server, in the
@@ -503,28 +509,18 @@ automatically set the previous URL when it follows a Location: header. The
 If this option is used several times, the last one will be used.
 .IP "-E, --cert <certificate[:password]>"
 (SSL) Tells curl to use the specified client certificate file when getting a
-file with HTTPS, FTPS or another SSL-based protocol. The certificate must be
-in PKCS#12 format if using Secure Transport, or PEM format if using any other
-engine.  If the optional password isn't specified, it will be queried for on
-the terminal. Note that this option assumes a \&"certificate" file that is the
-private key and the client certificate concatenated! See \fI--cert\fP and
+file with HTTPS, FTPS or another SSL-based protocol. The client certificate(s)
+must be in PEM format.  If the optional password isn't specified, it will be
+queried for.  Note that this option assumes a \&"certificate" file that is the
+private key and the client certificate(s) concatenated! See \fI--cert\fP and
 \fI--key\fP to specify them independently.
 
-If curl is built against the NSS SSL library then this option can tell
-curl the nickname of the certificate to use within the NSS database defined
-by the environment variable SSL_DIR (or by default /etc/pki/nssdb). If the
-NSS PEM PKCS#11 module (libnsspem.so) is available then PEM files may be
-loaded. If you want to use a file from the current directory, please precede
-it with "./" prefix, in order to avoid confusion with a nickname.  If the
-nickname contains ":", it needs to be preceded by "\\" so that it is not
-recognized as password delimiter.  If the nickname contains "\\", it needs to
-be escaped as "\\\\" so that it is not recognized as an escape character.
-
-(iOS and macOS only) If curl is built against Secure Transport, then the
-certificate string can either be the name of a certificate/private key in the
-system or user keychain, or the path to a PKCS#12-encoded certificate and
-private key. If you want to use a file from the current directory, please
-precede it with "./" prefix, in order to avoid confusion with a nickname.
+The certificate string can either be the name of a certificate/private key in
+the system or user keychain, or the path to a PEM format certificate(s) and
+(optioanlly) private key file. If you want to use a file from the current
+directory, please precede it with "./" prefix, in order to avoid confusion with
+a nickname.  Note that if the client certificate is located in the user/system
+keychain then the password must also be in the keychain.
 
 If this option is used several times, the last one will be used.
 .IP "--engine <name>"
@@ -549,7 +545,9 @@ curl stops waiting, it will continue as if the response has been received.
 (Added in 7.47.0)
 .IP "--cert-type <type>"
 (SSL) Tells curl what certificate type the provided certificate is in. PEM,
-DER and ENG are recognized types.  If not specified, PEM is assumed.
+DER and ENG are recognized types.  If not specified, PEM is assumed.  Use of
+DER format is not recommended as only a single client leaf certificate is
+supported in that case.
 
 If this option is used several times, the last one will be used.
 .IP "--cacert <CA certificate>"
@@ -558,22 +556,9 @@ file may contain multiple CA certificates. The certificate(s) must be in PEM
 format. Normally curl is built to use a default file for this, so this option
 is typically used to alter that default file.
 
-curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is
-set, and uses the given path as a path to a CA cert bundle. This option
-overrides that variable.
-
-The windows version of curl will automatically look for a CA certs file named
-\'curl-ca-bundle.crt\', either in the same directory as curl.exe, or in the
-Current Working Directory, or in any folder along your PATH.
-
-If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module
-(libnsspem.so) needs to be available for this option to work properly.
-
-(iOS and macOS only) If curl is built against Secure Transport, then this
-option is supported for backward compatibility with other SSL engines, but it
-should not be set. If the option is not set, then curl will use the
-certificates in the system and user Keychain to verify the peer, which is the
-preferred method of verifying the peer's certificate chain.
+If this option is not set, then curl will use the certificates in the system
+and user Keychains to verify the peer, which is the preferred method of
+verifying the peer's certificate chain.
 
 If this option is used several times, the last one will be used.
 .IP "--capath <CA certificate directory>"
@@ -587,27 +572,25 @@ OpenSSL-powered curl to make SSL-connections much more efficiently than using
 
 If this option is set, the default capath value will be ignored, and if it is
 used several times, the last one will be used.
+
+This option is NOT supported with this SecureTransport-based build of curl.
 .IP "--pinnedpubkey <pinned public key (hashes)>"
 (SSL) Tells curl to use the specified public key file (or hashes) to verify the
 peer. This can be a path to a file which contains a single public key in PEM or
 DER format, or any number of base64 encoded sha256 hashes preceded by
-\'sha256//\' and separated by \';\'
+\'sha256//\' and separated by \';\'.
+
+Additionally, if this is a path to a file, the file may also contain a single
+DER format certificate or one or more PEM format certificates/public keys in
+which case the public keys are automatically extracted from the certificates.
 
 When negotiating a TLS or SSL connection, the server sends a certificate
 indicating its identity. A public key is extracted from this certificate and
 if it does not exactly match the public key provided to this option, curl will
 abort the connection before sending or receiving any data.
 
-PEM/DER support:
-  7.39.0: OpenSSL, GnuTLS and GSKit
-  7.43.0: NSS and wolfSSL/CyaSSL
-  7.47.0: mbedtls
-  7.49.0: PolarSSL
-sha256 support:
-  7.44.0: OpenSSL, GnuTLS, NSS and wolfSSL/CyaSSL.
-  7.47.0: mbedtls
-  7.49.0: PolarSSL
-Other SSL backends not supported.
+Although this is a SecureTransport-based build of curl, it DOES support both
+PEM/DER format files AND sha256 hashes.
 
 If this option is used several times, the last one will be used.
 .IP "--cert-status"
@@ -618,7 +601,8 @@ If this option is enabled and the server sends an invalid (e.g. expired)
 response, if the response suggests that the server certificate has been revoked,
 or no response at all is received, the verification fails.
 
-This is currently only implemented in the OpenSSL, GnuTLS and NSS backends.
+This is currently only implemented in the OpenSSL, GnuTLS and NSS backends which
+means it is NOT supported in this build.
 (Added in 7.41.0)
 .IP "--false-start"
 
---