diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-04-07 14:17:37 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-04-07 14:41:34 -0400 |
commit | 43341433a88a6a2cd38c35359f48653e809b10cd (patch) | |
tree | 37b70a38d94f8f9bfa18f633b35df2647d13273a /doc/apps | |
parent | c636c1c470fd2b4b0cb546e6ee85971375e42ec1 (diff) |
Suppress CT callback as appropriate
Suppress CT callbacks with aNULL or PSK ciphersuites that involve
no certificates. Ditto when the certificate chain is validated via
DANE-TA(2) or DANE-EE(3) TLSA records. Also skip SCT processing
when the chain is fails verification.
Move and consolidate CT callbacks from libcrypto to libssl. We
also simplify the interface to SSL_{,CTX_}_enable_ct() which can
specify either a permissive mode that just collects information or
a strict mode that requires at least one valid SCT or else asks to
abort the connection.
Simplified SCT processing and options in s_client(1) which now has
just a simple pair of "-noct" vs. "-ct" options, the latter enables
the permissive callback so that we can complete the handshake and
report all relevant information. When printing SCTs, print the
validation status if set and not valid.
Signed-off-by: Rob Percival <robpercival@google.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Diffstat (limited to 'doc/apps')
-rw-r--r-- | doc/apps/s_client.pod | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 881fbcfefe..e06af14ec9 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -95,7 +95,7 @@ B<openssl> B<s_client> [B<-serverinfo types>] [B<-status>] [B<-nextprotoneg protocols>] -[B<-noct|requestct|requirect>] +[B<-ct|noct>] [B<-ctlogfile>] =head1 DESCRIPTION @@ -464,14 +464,12 @@ Empty list of protocols is treated specially and will cause the client to advertise support for the TLS extension but disconnect just after receiving ServerHello with a list of server supported protocols. -=item B<-noct|requestct|requirect> +=item B<-ct|noct> -Use one of these three options to control whether Certificate Transparency (CT) -is disabled (-noct), enabled but not enforced (-requestct), or enabled and -enforced (-requirect). If CT is enabled, signed certificate timestamps (SCTs) -will be requested from the server and invalid SCTs will cause the connection to -be aborted. If CT is enforced, at least one valid SCT from a recognised CT log -(see B<-ctlogfile>) will be required or the connection will be aborted. +Use one of these two options to control whether Certificate Transparency (CT) +is enabled (B<-ct>) or disabled (B<-noct>). +If CT is enabled, signed certificate timestamps (SCTs) will be requested from +the server and reported at handshake completion. Enabling CT also enables OCSP stapling, as this is one possible delivery method for SCTs. |