DOC: configuration: update the crt-list documentation

Update the crt-list documentation with the supported keywords.

Also format it in a more clear way.

Must be backported to 2.8.

doc/configuration.txt

@@ -16025,11 +16025,28 @@ crt-list <file>
 
         <crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...]
 
-  sslbindconf supports "allow-0rtt", "alpn", "ca-file", "ca-verify-file",
+  sslbindconf supports the following keywords from the bind line
-  "ciphers", "ciphersuites", "crl-file", "curves", "ecdhe", "no-ca-names",
+  (see Section 5.1. Bind options):
-  "npn", "verify" configuration. With BoringSSL and Openssl >= 1.1.1
+
-  "ssl-min-ver" and "ssl-max-ver" are also supported. It overrides the
+  - allow-0rtt
-  configuration set in bind line for the certificate.
+  - alpn
+  - ca-file
+  - ca-verify-file
+  - ciphers
+  - ciphersuites
+  - client-sigalgs
+  - crl-file
+  - curves
+  - ecdhe
+  - no-alpn
+  - no-ca-names
+  - npn
+  - sigalgs
+  - ssl-min-ver
+  - ssl-max-ver
+  - verify
+
+  It overrides the configuration set in bind line for the certificate.
 
   Wildcards are supported in the SNI filter. Negative filter are also supported,
   useful in combination with a wildcard filter to exclude a particular SNI, or

src/cfgparse-ssl.c

@@ -2157,7 +2157,12 @@ static int ssl_parse_skip_self_issued_ca(char **args, int section_type, struct p
  */
 
 /* the <ssl_crtlist_kws> keywords are used for crt-list parsing, they *MUST* be safe
- * with their proxy argument NULL and must only fill the ssl_bind_conf */
+ * with their proxy argument NULL and must only fill the ssl_bind_conf
+ *
+ * /!\ Please update configuration.txt at the crt-list option of the Bind options
+ * section when adding a keyword in ssl_crtlist_kws. /!\
+ *
+ */
 struct ssl_crtlist_kw ssl_crtlist_kws[] = {
 	{ "allow-0rtt",            ssl_bind_parse_allow_0rtt,       0 }, /* allow 0-RTT */
 	{ "alpn",                  ssl_bind_parse_alpn,             1 }, /* set ALPN supported protocols */