Clarify --capath option in manpage

Prevent confusion as described in trac #422 by better explaining the
behaviour of --capath, and providing pointers to relevant openssl man
pages.

Attached are patches for the master and release/2.3 branches.  The only
difference is that in the master patch, a line referencing the
requirement for OpenSSL 0.9.7 is removed, since master already requires
OpenSSL >= 0.9.8.

-Steffan

Content-Type: text/x-patch;
name="2.3-Clarify-capath-option-in-manpage.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="2.3-Clarify-capath-option-in-manpage.patch"

>From 3626088e146dbf959d7ec73f4e7cc5ab24c1ad57 Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Sun, 24 May 2015 11:18:34 +0200
Subject: [PATCH] Clarify --capath option in manpage

Prevent confusion as described in trac #422 by better explaining the
behaviour of --capath, and providing pointers to relevant openssl man
pages.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <55619DC4.2020108@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9732
Signed-off-by: Gert Doering <gert@greenie.muc.de>

doc/openvpn.8

@@ -4271,8 +4271,23 @@ they are distributed with OpenVPN, they are totally insecure.
 .TP
 .B \-\-capath dir
 Directory containing trusted certificates (CAs and CRLs).
-Available with OpenSSL version >= 0.9.7 dev.
 Not available with PolarSSL.
+
+When using the
+.B \-\-capath
+option, you are required to supply valid CRLs for the CAs too.  CAs in the
+capath directory are expected to be named <hash>.<n>.  CRLs are expected to
+be named <hash>.r<n>.  See the
+.B -CApath
+option of
+.B openssl verify
+, and the
+.B -hash
+option of
+.B openssl x509
+and
+.B openssl crl
+for more information.
 .\"*********************************************************
 .TP
 .B \-\-dh file