diff options
author | Rob Percival <robpercival@google.com> | 2016-03-03 14:07:28 +0000 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2016-03-04 10:50:11 -0500 |
commit | eb64a6c6762652a5a293819f6934046e8a148c5e (patch) | |
tree | 0a3f876e4b7d979f94fcd83077269ad74264f0cd /doc | |
parent | 238d692c6a9b07ce04d896481783478086fedc6d (diff) |
Documentation for new CT s_client flags
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/apps/s_client.pod | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index d794b341c9..607ece5541 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -91,6 +91,8 @@ B<openssl> B<s_client> [B<-serverinfo types>] [B<-status>] [B<-nextprotoneg protocols>] +[B<-noct|requestct|requirect>] +[B<-ctlogfile>] =head1 DESCRIPTION @@ -435,6 +437,23 @@ Empty list of protocols is treated specially and will cause the client to advertise support for the TLS extension but disconnect just after receiving ServerHello with a list of server supported protocols. +=item B<-noct|requestct|requirect> + +Use one of these three options to control whether Certificate Transparency (CT) +is disabled (-noct), enabled but not enforced (-requestct), or enabled and +enforced (-requirect). If CT is enabled, signed certificate timestamps (SCTs) +will be requested from the server and invalid SCTs will cause the connection to +be aborted. If CT is enforced, at least one valid SCT from a recognised CT log +(see B<-ctlogfile>) will be required or the connection will be aborted. + +Enabling CT also enables OCSP stapling, as this is one possible delivery method +for SCTs. + +=item B<-ctlogfile> + +A file containing a list of known Certificate Transparency logs. See +L<SSL_CTX_set_ctlog_list_file(3)> for the expected file format. + =back =head1 CONNECTED COMMANDS |