diff options
| author | Jacob Appelbaum <jacob@appelbaum.net> | 2012-07-15 22:38:46 -0400 |
|---|---|---|
| committer | Jacob Appelbaum <jacob@appelbaum.net> | 2012-07-15 22:38:46 -0400 |
| commit | c732f4e7460c566c224573ea52e2cdf2fbc95453 (patch) | |
| tree | 2e0b7a6738ed6f70b560c125f5dd13e557d686ad /man | |
| parent | 920ea0356bd5ac8fb9661862533397b9a40e2df7 (diff) | |
| download | tlsdate-c732f4e7460c566c224573ea52e2cdf2fbc95453.tar.gz | |
Add -l and --leap option
Diffstat (limited to 'man')
| -rw-r--r-- | man/tlsdate-helper.1 | 2 | ||||
| -rw-r--r-- | man/tlsdate.1 | 16 |
2 files changed, 16 insertions, 2 deletions
diff --git a/man/tlsdate-helper.1 b/man/tlsdate-helper.1 index 5652fae..4d48677 100644 --- a/man/tlsdate-helper.1 +++ b/man/tlsdate-helper.1 @@ -6,7 +6,7 @@ tlsdate-helper \- secure parasitic rdate replacement .SH SYNOPSIS .B tlsdate-helper host port protocol ca_racket verbose certdir setclock \ -showtime timewarp +showtime timewarp leapaway .SH DESCRIPTION .B tlsdate-helper is a tool for setting the system clock by hand or by communication diff --git a/man/tlsdate.1 b/man/tlsdate.1 index f6024aa..7c43fcd 100644 --- a/man/tlsdate.1 +++ b/man/tlsdate.1 @@ -5,7 +5,7 @@ .SH NAME tlsdate \- secure parasitic rdate replacement .SH SYNOPSIS -.B tlsdate [-hnvVst] [-H [hostname]] [-p [port]] [-P [sslv23|sslv3|tlsv1]] \ +.B tlsdate [-hnvVstl] [-H [hostname]] [-p [port]] [-P [sslv23|sslv3|tlsv1]] \ [--certdir [dirname]] .SH DESCRIPTION .B tlsdate @@ -53,6 +53,20 @@ Hair. This should ensure that X509_V_ERR_CERT_NOT_YET_VALID or X509_V_ERR_CERT_HAS_EXPIRED are not encountered because of a broken RTC or the lack of a local RTC; we assume that tlsdate is recompiled yearly and that all certificates are otherwise considered valid. +.IP "-l | --leap" +Normally, the passing of time or time yet to come ensures that SSL verify +functions will fail to validate certificates. Commonly, +X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED are painfully +annoying but still very important error states. When the only issue with the +certificates in question is the timing information, this option allows you to +trust the remote system's time, as long as it is after RECENT_COMPILE_DATE and +before MAX_REASONABLE_TIME. The connection will only be trusted if +X509_V_ERR_CERT_NOT_YET_VALID and/or X509_V_OKX509_V_ERR_CERT_HAS_EXPIRED are +the only errors encountered. The SSL verify function will not return X509_V_OK +if there are any other issues, such as self-signed certificates or if the user +pins to a CA that is not used by the remote server. This is useful if your RTC +is broken on boot and you are unable to use DNSEC until you've at least had +some kind of leap of cryptographically assured data. .SH BUGS It's likely! Let us know by contacting jacob@appelbaum.net |