=== modified file 'clients.conf'
--- clients.conf	2022-04-23 20:36:45 +0000
+++ clients.conf	2023-02-07 19:29:28 +0000
@@ -50,8 +50,9 @@
 ;fingerprint =  7788 2722 5BA7 DE53 9C5A  7CFA 59CF F7CD BD9A 5920
 ;
 ;# This is base64-encoded binary data.  It will be decoded and sent to
-;# the client matching the above fingerprint.  This should, of course,
-;# be OpenPGP encrypted data, decryptable only by the client.
+;# the client matching the above key_id (for GnuTLS 3.6.6 or later) or
+;# the above fingerprint (for GnuTLS before 3.6.0).  This should, of
+;# course, be OpenPGP encrypted data, decryptable only by the client.
 ;secret =
 ;        hQIOA6QdEjBs2L/HEAf/TCyrDe5Xnm9esa+Pb/vWF9CUqfn4srzVgSu234
 ;        REJMVv7lBSrPE2132Lmd2gqF1HeLKDJRSVxJpt6xoWOChGHg+TMyXDxK+N

=== modified file 'mandos-clients.conf.xml'
--- mandos-clients.conf.xml	2019-02-10 04:20:26 +0000
+++ mandos-clients.conf.xml	2023-02-07 19:29:28 +0000
@@ -228,13 +228,16 @@
 	><replaceable>HEXSTRING</replaceable></option></term>
 	<listitem>
 	  <para>
-	    This option is <emphasis>required</emphasis>.
+	    This option is <emphasis>required</emphasis> if the
+	    <option>key_id</option> is not set, and
+	    <emphasis>optional</emphasis> otherwise.
 	  </para>
 	  <para>
-	    This option sets the OpenPGP fingerprint that identifies
-	    the public key that clients authenticate themselves with
-	    through TLS.  The string needs to be in hexadecimal form,
-	    but spaces or upper/lower case are not significant.
+	    This option sets the OpenPGP fingerprint that (before
+	    GnuTLS 3.6.0) identified the public key that clients
+	    authenticate themselves with through TLS.  The string
+	    needs to be in hexadecimal form, but spaces or upper/lower
+	    case are not significant.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -244,13 +247,16 @@
 	><replaceable>HEXSTRING</replaceable></option></term>
 	<listitem>
 	  <para>
-	    This option is <emphasis>optional</emphasis>.
+	    This option is <emphasis>required</emphasis> if the
+	    <option>fingerprint</option> is not set, and
+	    <emphasis>optional</emphasis> otherwise.
 	  </para>
 	  <para>
-	    This option sets the certificate key ID that identifies
-	    the public key that clients authenticate themselves with
-	    through TLS.  The string needs to be in hexadecimal form,
-	    but spaces or upper/lower case are not significant.
+	    This option sets the certificate key ID that (with GnuTLS
+	    3.6.6 or later) identifies the public key that clients
+	    authenticate themselves with through TLS.  The string
+	    needs to be in hexadecimal form, but spaces or upper/lower
+	    case are not significant.
 	  </para>
 	</listitem>
       </varlistentry>