squash

alanking · alanking · commit 50bd3e0942f8 · 2025-04-01T09:24:16.000-04:00
diff --git a/docs/plugins/pluggable_authentication.md b/docs/plugins/pluggable_authentication.md
@@ -85,39 +85,3 @@ Since PAM requires the user's password in plaintext, iRODS relies on SSL encrypt
 In order to use the iRODS PAM support, you also need to have SSL working between the iRODS client and server.
 
 See [SSL/TLS Documentation](../../system_overview/ssl_and_tls) for instructions to set up SSL/TLS communications between iRODS clients and servers.
-
-After setting up SSL on the server side, test SSL by using the PAM authentication (which requires an SSL connection) and running ``iinit`` with the log level set to LOG_NOTICE.
-
-If you see messages as follows, you need to set up trust for the server's certificate, or you need to turn off server verification. See [Server Verification Settings](../../system_overview/ssl_and_tls#server-verification-settings) for more details about how to do this.
-
-Error from non-trusted self-signed certificate:
-
-~~~
-irods@hostname:~/ $ IRODS_LOG_LEVEL=LOG_NOTICE iinit
-NOTICE: environment variable set, irods_log_level(input)=LOG_NOTICE, value=5
-NOTICE: created irods_home=/dn/home/irods
-NOTICE: created irods_cwd=/dn/home/irods
-Enter your current PAM (system) password:
-NOTICE: sslVerifyCallback: problem with certificate at depth: 0
-NOTICE: sslVerifyCallback:   issuer = /C=US/ST=North Carolina/L=Chapel Hill/O=RENCI/CN=irods.example.org
-NOTICE: sslVerifyCallback:   subject = /C=US/ST=North Carolina/L=Chapel Hill/O=RENCI/CN=irods.example.org
-NOTICE: sslVerifyCallback:   err 18:self signed certificate
-ERROR: sslStart: error in SSL_connect. SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
-sslStart failed with error -2103000 SSL_HANDSHAKE_ERROR
-~~~
-
-Error from untrusted CA that signed the server certificate:
-
-~~~
-irods@hostname:~/ $ IRODS_LOG_LEVEL=LOG_NOTICE iinit
-NOTICE: environment variable set, irods_log_level(input)=LOG_NOTICE, value=5
-NOTICE: created irods_home=/dn/home/irods
-NOTICE: created irods_cwd=/dn/home/irods
-Enter your current PAM (system) password:
-NOTICE: sslVerifyCallback: problem with certificate at depth: 1
-NOTICE: sslVerifyCallback:   issuer = /C=US/ST=North Carolina/O=example.org/CN=irods.example.org Certificate Authority
-NOTICE: sslVerifyCallback:   subject = /C=US/ST=North Carolina/O=example.org/CN=irods.example.org Certificate Authority
-NOTICE: sslVerifyCallback:   err 19:self signed certificate in certificate chain
-ERROR: sslStart: error in SSL_connect. SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
-sslStart failed with error -2103000 SSL_HANDSHAKE_ERROR
-~~~
diff --git a/docs/system_overview/configuration.md b/docs/system_overview/configuration.md
@@ -408,7 +408,7 @@ This file defines the behavior of the server Agent that answers individual reque
 
     // (Optional)
     // Defines server-side TLS configurations. Although the "tls" object itself is optional,
-    // all sub-items are required if "tls" is defined.
+    // all sub-properties are required if "tls" is defined.
     "tls": {
         // Absolute path to the file containing the server's certificate chain.
         // The certificates must be in PEM format and must be sorted starting with the subject's
diff --git a/docs/system_overview/ssl_and_tls.md b/docs/system_overview/ssl_and_tls.md
@@ -108,15 +108,14 @@ The client may or may not require configuration at the SSL level, but there are
 
 ### Server Verification Settings
 
-Server verification can be turned off using the irods_ssl_verify_server `irods_environment.json` property. If this variable is set to 'none', then any certificate (or none) is accepted by the client. This means that your connection will be encrypted, but you cannot be sure to what server (i.e. there is no server authentication). For that reason, this mode is discouraged.
+Server verification can be turned off using the `irods_ssl_verify_server` `irods_environment.json` property. If this variable is set to 'none', then any certificate (or none) is accepted by the client. This means that your connection will be encrypted, but you cannot be sure to what server (i.e. there is no server authentication). For that reason, this mode is discouraged.
 
 It is much better to set up trust for the server's certificate, even if it is a self-signed certificate. The easiest way is to use the irods_ssl_ca_certificate_file `irods_environment.json` property to contain all the certificates of either hosts or CAs that you trust. If you configured the server as described above, you could just set the following property in your `irods_environment.json`:
 
 ~~~
 "irods_ssl_ca_certificate_file": "/etc/irods/chain.pem"
 ~~~
 
-
 Or this file could just contain the root CA certificate for a CA-signed server certificate. Another potential issue is that the server certificate does not contain the proper FQDN (in either the Common Name field or the subjectAltName field) to match the client's 'irods_host' property. If this situation cannot be corrected on the server side, the client can set:
 
 ~~~
