First draft of CT documentation

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

2 files changed, 10 insertions, 15 deletions

diff --git a/doc/ssl/SSL_CTX_set_ctlog_list_file.pod b/doc/ssl/SSL_CTX_set_ctlog_list_file.pod
index 737dea9d7c..4a2fa946fe 100644
--- a/doc/ssl/SSL_CTX_set_ctlog_list_file.pod
+++ b/doc/ssl/SSL_CTX_set_ctlog_list_file.pod
@@ -18,24 +18,13 @@ SSL_CTX_set_default_ctlog_list_file() loads a list of Certificate Transparency
 (CT) logs from the default file location, "ct_log_list.cnf", found in the
 directory where OpenSSL is installed.
 
-SSL_CTX_set_ctlog_list_file() loads a list of CT logs from a given path.
-
-The expected format of the log list file is:
-
- enabled_logs=foo,bar
-
- [foo]
- description = Log 1
- key = <base64-encoded public key here>
-
- [bar]
- description = Log 2
- key = <base64-encoded public key here>
+SSL_CTX_set_ctlog_list_file() loads a list of CT logs from a specific path.
+See L<CTLOG_STORE_new(3)> for the file format.
 
 =head1 NOTES
 
 These functions will not clear the existing CT log list - it will be appended
-to.
+to. To replace the existing list, use L<SSL_CTX_set0_ctlog_store> first. 
 
 If an error occurs whilst parsing a particular log entry in the file, that log
 entry will be skipped.
@@ -49,7 +38,8 @@ the case of an error, the log list may have been partially loaded.
 =head1 SEE ALSO
 
 L<ssl(3)>,
-L<ssl_ct_validation_cb(3)>
+L<SSL_CTX_set_ct_validation_callback(3)>,
+L<CTLOG_STORE_new(3)>
 
 =head1 COPYRIGHT
 
diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
index 6d78437159..087e1f4ebd 100644
--- a/doc/ssl/ssl.pod
+++ b/doc/ssl/ssl.pod
@@ -330,6 +330,8 @@ protocol context defined in the B<SSL_CTX> structure.
 
 =item void B<SSL_CTX_set_client_cert_cb>(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
 
+=item int B<SSL_CTX_set_ct_validation_callback>(SSL_CTX *ctx, ssl_ct_validation_cb callback, void *arg);
+
 =item void B<SSL_CTX_set_default_passwd_cb>(SSL_CTX *ctx, int (*cb);(void))
 
 =item void B<SSL_CTX_set_default_read_ahead>(SSL_CTX *ctx, int m);
@@ -630,6 +632,8 @@ fresh handle for each connection.
 
 =item void B<SSL_set_connect_state>(SSL *ssl);
 
+=item int B<SSL_set_ct_validation_callback>(SSL *ssl, ssl_ct_validation_cb callback, void *arg);
+
 =item int B<SSL_set_ex_data>(SSL *ssl, int idx, char *arg);
 
 =item int B<SSL_set_fd>(SSL *ssl, int fd);
@@ -770,6 +774,7 @@ L<SSL_CTX_set_verify(3)>,
 L<SSL_CTX_use_certificate(3)>,
 L<SSL_alert_type_string(3)>,
 L<SSL_do_handshake(3)>,
+L<SSL_enable_ct(3)>,
 L<SSL_get_SSL_CTX(3)>,
 L<SSL_get_ciphers(3)>,
 L<SSL_get_client_CA_list(3)>,