diff options
author | Rob Percival <robpercival@google.com> | 2016-03-03 14:07:28 +0000 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2016-03-04 10:50:11 -0500 |
commit | eb64a6c6762652a5a293819f6934046e8a148c5e (patch) | |
tree | 0a3f876e4b7d979f94fcd83077269ad74264f0cd | |
parent | 238d692c6a9b07ce04d896481783478086fedc6d (diff) |
Documentation for new CT s_client flags
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | doc/apps/s_client.pod | 19 |
3 files changed, 25 insertions, 0 deletions
@@ -873,6 +873,11 @@ whose return value is often ignored. [Steve Henson] + *) New -noct, -requestct, -requirect and -ctlogfile options for s_client. + These allow SCTs (signed certificate timestamps) to be requested and + validated when establishing a connection. + [Rob Percival <robpercival@google.com>] + Changes between 1.0.2f and 1.0.2g [1 Mar 2016] * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. @@ -39,6 +39,7 @@ o Support for X25519 o Extended SSL_CONF support using configuration files o KDF algorithm support. Implement TLS PRF as a KDF. + o Support for Certificate Transparency Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016] diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index d794b341c9..607ece5541 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -91,6 +91,8 @@ B<openssl> B<s_client> [B<-serverinfo types>] [B<-status>] [B<-nextprotoneg protocols>] +[B<-noct|requestct|requirect>] +[B<-ctlogfile>] =head1 DESCRIPTION @@ -435,6 +437,23 @@ Empty list of protocols is treated specially and will cause the client to advertise support for the TLS extension but disconnect just after receiving ServerHello with a list of server supported protocols. +=item B<-noct|requestct|requirect> + +Use one of these three options to control whether Certificate Transparency (CT) +is disabled (-noct), enabled but not enforced (-requestct), or enabled and +enforced (-requirect). If CT is enabled, signed certificate timestamps (SCTs) +will be requested from the server and invalid SCTs will cause the connection to +be aborted. If CT is enforced, at least one valid SCT from a recognised CT log +(see B<-ctlogfile>) will be required or the connection will be aborted. + +Enabling CT also enables OCSP stapling, as this is one possible delivery method +for SCTs. + +=item B<-ctlogfile> + +A file containing a list of known Certificate Transparency logs. See +L<SSL_CTX_set_ctlog_list_file(3)> for the expected file format. + =back =head1 CONNECTED COMMANDS |