From 25b05b75be1acdd4c96a301839be525809f35a47 Mon Sep 17 00:00:00 2001
From: Wilmer van der Gaast <wilmer@gaast.net>
Date: Mon, 19 Dec 2011 18:34:06 +0100
Subject: Doc update.

---
 bitlbee.conf                | 20 ++++++++++++++++----
 doc/user-guide/commands.xml | 24 +++++++++++++++++++++++-
 2 files changed, 39 insertions(+), 5 deletions(-)

diff --git a/bitlbee.conf b/bitlbee.conf
index c5dafd9f..e0b74f41 100644
--- a/bitlbee.conf
+++ b/bitlbee.conf
@@ -115,9 +115,9 @@
 ##
 ## (Obviously, the username and password are optional)
 ##
-## Proxy = http://john:doe@proxy.localnet.com:8080
-## Proxy = socks4://socksproxy.localnet.com
-## Proxy = socks5://socksproxy.localnet.com
+# Proxy = http://john:doe@proxy.localnet.com:8080
+# Proxy = socks4://socksproxy.localnet.com
+# Proxy = socks5://socksproxy.localnet.com
 
 ## Protocols offered by bitlbee
 ## 
@@ -125,8 +125,20 @@
 ## allows to remove the support of protocol, even if compiled in. If
 ## nothing is given, there are no restrictions.
 ## 
-## Protocols = jabber yahoo
+# Protocols = jabber yahoo
 
+## Trusted CAs
+##
+## Path to a file containing a list of trusted certificate authorities used in
+## the verification of server certificates.
+##
+## Uncomment this and make sure the file actually exists and contains all
+## certificate authorities you're willing to accept (default value should
+## work on at least Debian/Ubuntu systems with the "ca-certificates" package
+## installed). As long as the line is commented out, SSL certificate
+## verification is completely disabled.
+##
+# CAfile = /etc/ssl/certs/ca-certificates.crt
 
 [defaults]
 
diff --git a/doc/user-guide/commands.xml b/doc/user-guide/commands.xml
index 3a9202dc..eb050c31 100644
--- a/doc/user-guide/commands.xml
+++ b/doc/user-guide/commands.xml
@@ -1391,7 +1391,11 @@
 
 		<description>
 			<para>
-				Currently only available for Jabber connections. Set this to true if the server accepts SSL connections.
+				Currently only available for Jabber connections. Set this to true if you want to connect to the server on an SSL-enabled port (usually 5223).
+			</para>
+
+			<para>
+				Please note that this method of establishing a secure connection to the server has long been deprecated. You are encouraged to look at the <emphasis>tls</emphasis> setting instead.
 			</para>
 		</description>
 	</bitlbee-setting>
@@ -1484,6 +1488,24 @@
 		</description>
 	</bitlbee-setting>
 
+	<bitlbee-setting name="tls_verify" type="boolean" scope="account">
+		<default>true</default>
+
+		<description>
+			<para>
+				Currently only available for Jabber connections in combination with the <emphasis>tls</emphasis> setting. Set this to <emphasis>true</emphasis> if you want BitlBee to strictly verify the server's certificate against a list of trusted certificate authorities.
+			</para>
+
+			<para>
+				The hostname used in the certificate verification is the value of the <emphasis>server</emphasis> setting if the latter is nonempty and the domain of the username else. If you get a hostname related error when connecting to Google Talk with a username from the gmail.com or googlemail.com domain, please try to empty the <emphasis>server</emphasis> setting.
+			</para>
+
+			<para>
+				Please note that no certificate verification is performed when the <emphasis>ssl</emphasis> setting is used, or when the CAfile setting in bitlbee.conf is not set.
+			</para>
+		</description>
+	</bitlbee-setting>
+
 	<bitlbee-setting name="to_char" type="string" scope="global">
 		<default>": "</default>
 
-- 
cgit v1.2.3