From 3bcc416e13cc790e2fb45fcfe9111d38609c5032 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sun, 2 Jul 2017 13:40:21 +0900
Subject: [PATCH] Update manual pages

---
 doc/h2load.1      |  2 +-
 doc/nghttp.1      |  2 +-
 doc/nghttpd.1     |  2 +-
 doc/nghttpx.1     | 23 +++++++++++++++--------
 doc/nghttpx.1.rst | 21 ++++++++++++++-------
 5 files changed, 32 insertions(+), 18 deletions(-)

diff --git a/doc/h2load.1 b/doc/h2load.1
index 6e34d8ca..1d96265d 100644
--- a/doc/h2load.1
+++ b/doc/h2load.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "H2LOAD" "1" "May 26, 2017" "1.23.0" "nghttp2"
+.TH "H2LOAD" "1" "Jul 02, 2017" "1.24.0" "nghttp2"
 .SH NAME
 h2load \- HTTP/2 benchmarking tool
 .
diff --git a/doc/nghttp.1 b/doc/nghttp.1
index 04392e07..de9bfa02 100644
--- a/doc/nghttp.1
+++ b/doc/nghttp.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTP" "1" "May 26, 2017" "1.23.0" "nghttp2"
+.TH "NGHTTP" "1" "Jul 02, 2017" "1.24.0" "nghttp2"
 .SH NAME
 nghttp \- HTTP/2 client
 .
diff --git a/doc/nghttpd.1 b/doc/nghttpd.1
index 0a8366d2..d860e4de 100644
--- a/doc/nghttpd.1
+++ b/doc/nghttpd.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTPD" "1" "May 26, 2017" "1.23.0" "nghttp2"
+.TH "NGHTTPD" "1" "Jul 02, 2017" "1.24.0" "nghttp2"
 .SH NAME
 nghttpd \- HTTP/2 server
 .
diff --git a/doc/nghttpx.1 b/doc/nghttpx.1
index 273474de..17e00a63 100644
--- a/doc/nghttpx.1
+++ b/doc/nghttpx.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTPX" "1" "May 26, 2017" "1.23.0" "nghttp2"
+.TH "NGHTTPX" "1" "Jul 02, 2017" "1.24.0" "nghttp2"
 .SH NAME
 nghttpx \- HTTP/2 proxy
 .
@@ -604,11 +604,14 @@ enabled for backend connections.
 .INDENT 0.0
 .TP
 .B \-\-cacert=<PATH>
-Set path to trusted CA  certificate file used in backend
-TLS connections.   The file must  be in PEM  format.  It
-can  contain  multiple   certificates.   If  the  linked
-OpenSSL is configured to  load system wide certificates,
-they are loaded at startup regardless of this option.
+Set path to trusted CA  certificate file.  It is used in
+backend  TLS connections  to verify  peer\(aqs certificate.
+It is also used to  verify OCSP response from the script
+set by \fI\%\-\-fetch\-ocsp\-response\-file\fP\&.  The  file must be in
+PEM format.   It can contain multiple  certificates.  If
+the  linked OpenSSL  is configured  to load  system wide
+certificates, they  are loaded at startup  regardless of
+this option.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -691,10 +694,14 @@ done in  case\-insensitive manner.  The  versions between
 \fI\%\-\-tls\-min\-proto\-version\fP and  \fI\%\-\-tls\-max\-proto\-version\fP are
 enabled.  If the protocol list advertised by client does
 not  overlap  this range,  you  will  receive the  error
-message "unknown protocol".  The available versions are:
+message "unknown protocol".  If a protocol version lower
+than TLSv1.2 is specified, make sure that the compatible
+ciphers are  included in \fI\%\-\-ciphers\fP option.   The default
+cipher  list  only   includes  ciphers  compatible  with
+TLSv1.2 or above.  The available versions are:
 TLSv1.2, TLSv1.1, and TLSv1.0
 .sp
-Default: \fBTLSv1.1\fP
+Default: \fBTLSv1.2\fP
 .UNINDENT
 .INDENT 0.0
 .TP
diff --git a/doc/nghttpx.1.rst b/doc/nghttpx.1.rst
index 97af6938..290034b5 100644
--- a/doc/nghttpx.1.rst
+++ b/doc/nghttpx.1.rst
@@ -558,11 +558,14 @@ SSL/TLS
 
 .. option:: --cacert=<PATH>
 
-    Set path to trusted CA  certificate file used in backend
-    TLS connections.   The file must  be in PEM  format.  It
-    can  contain  multiple   certificates.   If  the  linked
-    OpenSSL is configured to  load system wide certificates,
-    they are loaded at startup regardless of this option.
+    Set path to trusted CA  certificate file.  It is used in
+    backend  TLS connections  to verify  peer's certificate.
+    It is also used to  verify OCSP response from the script
+    set by :option:`--fetch-ocsp-response-file`\.  The  file must be in
+    PEM format.   It can contain multiple  certificates.  If
+    the  linked OpenSSL  is configured  to load  system wide
+    certificates, they  are loaded at startup  regardless of
+    this option.
 
 .. option:: --private-key-passwd-file=<PATH>
 
@@ -636,10 +639,14 @@ SSL/TLS
     :option:`--tls-min-proto-version` and  :option:`\--tls-max-proto-version` are
     enabled.  If the protocol list advertised by client does
     not  overlap  this range,  you  will  receive the  error
-    message "unknown protocol".  The available versions are:
+    message "unknown protocol".  If a protocol version lower
+    than TLSv1.2 is specified, make sure that the compatible
+    ciphers are  included in :option:`--ciphers` option.   The default
+    cipher  list  only   includes  ciphers  compatible  with
+    TLSv1.2 or above.  The available versions are:
     TLSv1.2, TLSv1.1, and TLSv1.0
 
-    Default: ``TLSv1.1``
+    Default: ``TLSv1.2``
 
 .. option:: --tls-max-proto-version=<VER>