diff --git a/doc/h2load.1 b/doc/h2load.1 index 6e34d8ca..1d96265d 100644 --- a/doc/h2load.1 +++ b/doc/h2load.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "H2LOAD" "1" "May 26, 2017" "1.23.0" "nghttp2" +.TH "H2LOAD" "1" "Jul 02, 2017" "1.24.0" "nghttp2" .SH NAME h2load \- HTTP/2 benchmarking tool . diff --git a/doc/nghttp.1 b/doc/nghttp.1 index 04392e07..de9bfa02 100644 --- a/doc/nghttp.1 +++ b/doc/nghttp.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTP" "1" "May 26, 2017" "1.23.0" "nghttp2" +.TH "NGHTTP" "1" "Jul 02, 2017" "1.24.0" "nghttp2" .SH NAME nghttp \- HTTP/2 client . diff --git a/doc/nghttpd.1 b/doc/nghttpd.1 index 0a8366d2..d860e4de 100644 --- a/doc/nghttpd.1 +++ b/doc/nghttpd.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTPD" "1" "May 26, 2017" "1.23.0" "nghttp2" +.TH "NGHTTPD" "1" "Jul 02, 2017" "1.24.0" "nghttp2" .SH NAME nghttpd \- HTTP/2 server . diff --git a/doc/nghttpx.1 b/doc/nghttpx.1 index 273474de..17e00a63 100644 --- a/doc/nghttpx.1 +++ b/doc/nghttpx.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTPX" "1" "May 26, 2017" "1.23.0" "nghttp2" +.TH "NGHTTPX" "1" "Jul 02, 2017" "1.24.0" "nghttp2" .SH NAME nghttpx \- HTTP/2 proxy . @@ -604,11 +604,14 @@ enabled for backend connections. .INDENT 0.0 .TP .B \-\-cacert= -Set path to trusted CA certificate file used in backend -TLS connections. The file must be in PEM format. It -can contain multiple certificates. If the linked -OpenSSL is configured to load system wide certificates, -they are loaded at startup regardless of this option. +Set path to trusted CA certificate file. It is used in +backend TLS connections to verify peer\(aqs certificate. +It is also used to verify OCSP response from the script +set by \fI\%\-\-fetch\-ocsp\-response\-file\fP\&. The file must be in +PEM format. It can contain multiple certificates. If +the linked OpenSSL is configured to load system wide +certificates, they are loaded at startup regardless of +this option. .UNINDENT .INDENT 0.0 .TP @@ -691,10 +694,14 @@ done in case\-insensitive manner. The versions between \fI\%\-\-tls\-min\-proto\-version\fP and \fI\%\-\-tls\-max\-proto\-version\fP are enabled. If the protocol list advertised by client does not overlap this range, you will receive the error -message "unknown protocol". The available versions are: +message "unknown protocol". If a protocol version lower +than TLSv1.2 is specified, make sure that the compatible +ciphers are included in \fI\%\-\-ciphers\fP option. The default +cipher list only includes ciphers compatible with +TLSv1.2 or above. The available versions are: TLSv1.2, TLSv1.1, and TLSv1.0 .sp -Default: \fBTLSv1.1\fP +Default: \fBTLSv1.2\fP .UNINDENT .INDENT 0.0 .TP diff --git a/doc/nghttpx.1.rst b/doc/nghttpx.1.rst index 97af6938..290034b5 100644 --- a/doc/nghttpx.1.rst +++ b/doc/nghttpx.1.rst @@ -558,11 +558,14 @@ SSL/TLS .. option:: --cacert= - Set path to trusted CA certificate file used in backend - TLS connections. The file must be in PEM format. It - can contain multiple certificates. If the linked - OpenSSL is configured to load system wide certificates, - they are loaded at startup regardless of this option. + Set path to trusted CA certificate file. It is used in + backend TLS connections to verify peer's certificate. + It is also used to verify OCSP response from the script + set by :option:`--fetch-ocsp-response-file`\. The file must be in + PEM format. It can contain multiple certificates. If + the linked OpenSSL is configured to load system wide + certificates, they are loaded at startup regardless of + this option. .. option:: --private-key-passwd-file= @@ -636,10 +639,14 @@ SSL/TLS :option:`--tls-min-proto-version` and :option:`\--tls-max-proto-version` are enabled. If the protocol list advertised by client does not overlap this range, you will receive the error - message "unknown protocol". The available versions are: + message "unknown protocol". If a protocol version lower + than TLSv1.2 is specified, make sure that the compatible + ciphers are included in :option:`--ciphers` option. The default + cipher list only includes ciphers compatible with + TLSv1.2 or above. The available versions are: TLSv1.2, TLSv1.1, and TLSv1.0 - Default: ``TLSv1.1`` + Default: ``TLSv1.2`` .. option:: --tls-max-proto-version=