tsibley · October 16, 2024 18:24
diff --git a/nopaste.diff b/nopaste.diff
 diff --git a/src/reference/ca-certificates.rst b/src/reference/ca-certificates.rst
 index 086e37e..583d030 100644
 --- a/src/reference/ca-certificates.rst
 +++ b/src/reference/ca-certificates.rst
 @@ -68,7 +68,8 @@ OpenSSL is the most common library used to provide TLS/SSL support in
 application software.  Its `default locations of trusted CA certificates
 <https://docs.openssl.org/3.0/man3/SSL_CTX_load_verify_locations/>`__ can be
 overridden by setting the ``SSL_CERT_FILE`` and/or ``SSL_CERT_DIR`` environment
 -variables.
 +variables.  Filenames in the latter must be hashed with OpenSSL's ``c_rehash``
 +utility.
 
 Its final trust store is built from certificates in all default locations, so
 to *comprehensively* override the defaults, all locations must be overridden.
 @@ -156,7 +157,25 @@ Set the |REQUESTS_CA_BUNDLE|_ environment variable to override.
 Nextclade CLI
 -------------
 
 -*Applies to Nextclade v3.*
 +.. XXX FIXME version
 +
 +*Applies to Nextclade v3 from 3.x.y (3.9.0???) and onwards.*
 +
 +Uses CA certificates extracted from the OS-level trust store via the
 +|rustls-native-certs|_ Rust crate plus its own bundled snapshot of `Mozilla's
 +CA trust store`_ via the |webpki-roots|_ Rust crate (by way of the ``reqwest``
 +crate's |rustls-tls-webpki-roots feature|_).
 +
 +Set the OpenSSL-style ``SSL_CERT_FILE`` or ``SSL_CERT_DIR`` environment
 +variables to override the OS-level trust store (on all platforms, not just
 +those using :ref:`OpenSSL <openssl>`).  The bundled trust store is always
 +included and cannot be overridden.
 +
 +Set the ``NEXTCLADE_EXTRA_CA_CERTS`` environment variable to add CA
 +certificates to the default trust store.
 +
 +
 +*Applies to Nextclade v3 up to 3.8.2.*
 
 Uses its own bundled snapshot of `Mozilla's CA trust store`_ via the
 |webpki-roots|_ Rust crate (by way of the ``reqwest`` crate's
 @@ -165,10 +184,11 @@ Uses its own bundled snapshot of `Mozilla's CA trust store`_ via the
 There is currently no way to configure or modify the trust store without
 modifying the Nextclade source code.
 
 -.. I have a fix in-flight for ↑ that. —trs, 10 Oct 2024
 +.. |rustls-native-certs| replace:: ``rustls-native-certs``
 +.. _rustls-native-certs: https://docs.rs/crate/rustls-native-certs/0.8.0
 
 .. |webpki-roots| replace:: ``webpki-roots``
 -.. _webpki-roots: https://docs.rs/webpki-roots/0.26.6/webpki_roots/
 +.. _webpki-roots: https://docs.rs/crate/webpki-roots/0.26.6
 
 .. |rustls-tls-webpki-roots feature| replace:: ``rustls-tls-webpki-roots`` feature
 .. _rustls-tls-webpki-roots feature: https://docs.rs/reqwest/0.12.8/reqwest/#optional-features
	diff --git a/src/reference/ca-certificates.rst b/src/reference/ca-certificates.rst
	index 086e37e..583d030 100644
	--- a/src/reference/ca-certificates.rst
	+++ b/src/reference/ca-certificates.rst
	@@ -68,7 +68,8 @@ OpenSSL is the most common library used to provide TLS/SSL support in
	application software. Its `default locations of trusted CA certificates
	<https://docs.openssl.org/3.0/man3/SSL_CTX_load_verify_locations/>`__ can be
	overridden by setting the ``SSL_CERT_FILE`` and/or ``SSL_CERT_DIR`` environment
	-variables.
	+variables. Filenames in the latter must be hashed with OpenSSL's ``c_rehash``
	+utility.

	Its final trust store is built from certificates in all default locations, so
	to comprehensively override the defaults, all locations must be overridden.
	@@ -156,7 +157,25 @@ Set the \|REQUESTS_CA_BUNDLE\|_ environment variable to override.
	Nextclade CLI
	-------------

	-Applies to Nextclade v3.
	+.. XXX FIXME version
	+
	+Applies to Nextclade v3 from 3.x.y (3.9.0???) and onwards.
	+
	+Uses CA certificates extracted from the OS-level trust store via the
	+\|rustls-native-certs\|_ Rust crate plus its own bundled snapshot of `Mozilla's
	+CA trust store`_ via the \|webpki-roots\|_ Rust crate (by way of the ``reqwest``
	+crate's \|rustls-tls-webpki-roots feature\|_).
	+
	+Set the OpenSSL-style ``SSL_CERT_FILE`` or ``SSL_CERT_DIR`` environment
	+variables to override the OS-level trust store (on all platforms, not just
	+those using :ref:`OpenSSL <openssl>`). The bundled trust store is always
	+included and cannot be overridden.
	+
	+Set the ``NEXTCLADE_EXTRA_CA_CERTS`` environment variable to add CA
	+certificates to the default trust store.
	+
	+
	+Applies to Nextclade v3 up to 3.8.2.

	Uses its own bundled snapshot of `Mozilla's CA trust store`_ via the
	\|webpki-roots\|_ Rust crate (by way of the ``reqwest`` crate's
	@@ -165,10 +184,11 @@ Uses its own bundled snapshot of `Mozilla's CA trust store`_ via the
	There is currently no way to configure or modify the trust store without
	modifying the Nextclade source code.

	-.. I have a fix in-flight for ↑ that. —trs, 10 Oct 2024
	+.. \|rustls-native-certs\| replace:: ``rustls-native-certs``
	+.. _rustls-native-certs: https://docs.rs/crate/rustls-native-certs/0.8.0

	.. \|webpki-roots\| replace:: ``webpki-roots``
	-.. _webpki-roots: https://docs.rs/webpki-roots/0.26.6/webpki_roots/
	+.. _webpki-roots: https://docs.rs/crate/webpki-roots/0.26.6

	.. \|rustls-tls-webpki-roots feature\| replace:: ``rustls-tls-webpki-roots`` feature
	.. _rustls-tls-webpki-roots feature: https://docs.rs/reqwest/0.12.8/reqwest/#optional-features