core: improve options to load GnuTLS system/user CAs (closes #972)

Changes: * new option: weechat.network.gnutls_ca_system * option weechat.network.gnutls_ca_file renamed to weechat.network.gnutls_ca_user * reload certificates when options are changed * remove build option CA_FILE
author: Sébastien Helleu <flashcode@flashtux.org> 2021-05-12 20:39:40 +0200
committer: Sébastien Helleu <flashcode@flashtux.org> 2021-05-12 20:39:40 +0200
commit: c588ee21bc8fd33678893d5c67616033281032e3 (patch)
tree: 6b082610e625ca846417043edc1297e1b404cd41 /doc/en
parent: b7112e409060160ccb865c7a749579d18b914110 (diff)
download: weechat-c588ee21bc8fd33678893d5c67616033281032e3.zip
3 files changed, 21 insertions, 16 deletions
diff --git a/doc/en/includes/autogen_user_options.en.adoc b/doc/en/includes/autogen_user_options.en.adoc
index ec443d0b4..b799bb0bb 100644
--- a/doc/en/includes/autogen_user_options.en.adoc
+++ b/doc/en/includes/autogen_user_options.en.adoc
@@ -1260,11 +1260,17 @@
 ** values: 1 .. 2147483647
 ** default value: `+60+`
 
-* [[option_weechat.network.gnutls_ca_file]] *weechat.network.gnutls_ca_file*
-** description: pass:none[file containing the certificate authorities (path is evaluated, see function string_eval_path_home in plugin API reference)]
+* [[option_weechat.network.gnutls_ca_system]] *weechat.network.gnutls_ca_system*
+** description: pass:none[load system's default trusted certificate authorities on startup; this can be turned off to save some memory only if you are not using SSL connections at all]
+** type: boolean
+** values: on, off
+** default value: `+on+`
+
+* [[option_weechat.network.gnutls_ca_user]] *weechat.network.gnutls_ca_user*
+** description: pass:none[extra file(s) with certificate authorities; multiple files must be separated by colons (each path is evaluated, see function string_eval_path_home in plugin API reference)]
 ** type: string
 ** values: any string
-** default value: `+"/etc/ssl/certs/ca-certificates.crt"+`
+** default value: `+""+`
 
 * [[option_weechat.network.gnutls_handshake_timeout]] *weechat.network.gnutls_handshake_timeout*
 ** description: pass:none[timeout (in seconds) for gnutls handshake]
diff --git a/doc/en/weechat_faq.en.adoc b/doc/en/weechat_faq.en.adoc
index b9a376118..c841117bb 100644
--- a/doc/en/weechat_faq.en.adoc
+++ b/doc/en/weechat_faq.en.adoc
@@ -727,7 +727,8 @@ you have to use kbd:[Alt] instead of kbd:[Shift]).
 
 If you are using macOS, you must install `openssl` from Homebrew.
 A CA file will be bootstrapped using certificates from the system keychain.
-You can then set the path to certificates in WeeChat:
+
+With WeeChat ≤ 3.1, you can then set the path to system certificates:
 
 ----
 /set weechat.network.gnutls_ca_file "/usr/local/etc/openssl/cert.pem"
@@ -767,7 +768,8 @@ by your server name:
 [[irc_ssl_freenode]]
 === How can I connect to freenode server using SSL?
 
-Set option _weechat.network.gnutls_ca_file_ to file with certificates:
+With WeeChat ≤ 3.1, set option _weechat.network.gnutls_ca_file_ to file with
+certificates:
 
 ----
 /set weechat.network.gnutls_ca_file "/etc/ssl/certs/ca-certificates.crt"
@@ -1047,8 +1049,7 @@ Scripts are not compatible with other IRC clients.
 [[scripts_update]]
 === The command "/script update" can not read scripts, how to fix that?
 
-First check questions about SSL connection in this FAQ
-(especially the option _weechat.network.gnutls_ca_file_).
+First check questions about SSL connection in this FAQ.
 
 If still not working, try to manually delete the scripts file (in your shell):
 
@@ -1128,8 +1129,8 @@ You can try following tips to consume less memory:
   fifo, logger, perl, python, ruby, lua, tcl, guile, javascript, php, spell,
   xfer (used for DCC). See `/help weechat.plugin.autoload`.
 * Load only scripts that you really need.
-* Do not load certificates if SSL is *NOT* used: set empty string in option
-  _weechat.network.gnutls_ca_file_.
+* Do not load system certificates if SSL is *NOT* used: turn off this option:
+  _weechat.network.gnutls_ca_system_.
 * Reduce value of option _weechat.history.max_buffer_lines_number_ or set value
   of option _weechat.history.max_buffer_lines_minutes_.
 * Reduce value of option _weechat.history.max_commands_.
diff --git a/doc/en/weechat_user.en.adoc b/doc/en/weechat_user.en.adoc
index d14e504d6..98fb83736 100644
--- a/doc/en/weechat_user.en.adoc
+++ b/doc/en/weechat_user.en.adoc
@@ -198,11 +198,6 @@ List of commonly used options:
   The value can also  be 4 directories separated by colons, in this order:
   config, data, cache, runtime.
 
-| CA_FILE | file | /etc/ssl/certs/ca-certificates.crt |
-  File containing the certificate authorities.
-  This is the default value of option
-  <<option_weechat.network.gnutls_ca_file,weechat.network.gnutls_ca_file>>.
-
 | ENABLE_ALIAS | `ON`, `OFF` | ON |
   Compile <<alias_plugin,Alias plugin>>.
 
@@ -2857,8 +2852,11 @@ connection is fully trusted.
 
 Some options are used to control SSL connection:
 
-weechat.network.gnutls_ca_file::
-    path to file with certificate authorities
+weechat.network.gnutls_ca_system::
+    load system's default trusted certificate authorities on startup
+
+weechat.network.gnutls_ca_user::
+    extra file(s) with certificate authorities
 
 irc.server.xxx.ssl_cert::
     SSL certificate file used to automatically identify your nick (for example
author	Sébastien Helleu <flashcode@flashtux.org>	2021-05-12 20:39:40 +0200
committer	Sébastien Helleu <flashcode@flashtux.org>	2021-05-12 20:39:40 +0200
commit	c588ee21bc8fd33678893d5c67616033281032e3 (patch)
tree	6b082610e625ca846417043edc1297e1b404cd41 /doc/en
parent	b7112e409060160ccb865c7a749579d18b914110 (diff)
download	weechat-c588ee21bc8fd33678893d5c67616033281032e3.zip