NSM-related doc fixes

* src/gnutls.c (Fgnutls_peer_status): Mention :certificates in the
doc string.

* etc/NEWS: Mention how to switch off the additional TLS checks.

2 files changed, 15 insertions, 3 deletions

diff --git a/etc/NEWS b/etc/NEWS
index 375f0400541..8883066237b 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -137,7 +137,11 @@ variable.
 
 +++
 ** Most of the checks for outdated, believed-to-be-weak TLS algorithms
-and ciphers are now switched on by default.
+and ciphers are now switched on by default.  To get the old behaviour
+back (where certificates are checked for validity, but no warnings
+about weak cryptography are issued), you can either set
+`network-security-protocol-checks' to nil, or adjust the elements in
+that variable to only happen on the `high' security level.
 
 +++
 ** New function 'fill-polish-nobreak-p', to be used in 'fill-nobreak-predicate'.
diff --git a/src/gnutls.c b/src/gnutls.c
index d22d5d267c1..dfbbecfc870 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -1210,9 +1210,17 @@ DEFUN ("gnutls-peer-status-warning-describe", Fgnutls_peer_status_warning_descri
 
 DEFUN ("gnutls-peer-status", Fgnutls_peer_status, Sgnutls_peer_status, 1, 1, 0,
        doc: /* Describe a GnuTLS PROC peer certificate and any warnings about it.
+
 The return value is a property list with top-level keys :warnings and
-:certificate.  The :warnings entry is a list of symbols you can describe with
-`gnutls-peer-status-warning-describe'. */)
+:certificates.
+
+The :warnings entry is a list of symbols you can get a description of
+with `gnutls-peer-status-warning-describe', and :certificates is the
+certificate chain for the connection, with the host certificate
+first, and intermediary certificates (if any) follow.
+
+In addition, for backwards compatibility, the host certificate is also
+returned as the :certificate entry.  */)
   (Lisp_Object proc)
 {
   Lisp_Object warnings = Qnil, result = Qnil;