Add doc on when to use SCT callback.

With help from Viktor.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

2 files changed, 7 insertions, 1 deletions

diff --git a/doc/ssl/SSL_CTX_set_ct_validation_callback.pod b/doc/ssl/SSL_CTX_set_ct_validation_callback.pod
index 59ab293c0a..167a044536 100644
--- a/doc/ssl/SSL_CTX_set_ct_validation_callback.pod
+++ b/doc/ssl/SSL_CTX_set_ct_validation_callback.pod
@@ -42,6 +42,12 @@ Certificate Transparency validation cannot be enabled and so a callback cannot
 be set if a custom client extension handler has been registered to handle SCT
 extensions (B<TLSEXT_TYPE_signed_certificate_timestamp>).
 
+If an SCT callback is enabled, a handshake may fail if the peer does
+not provide a certificate, which can happen when using opportunistic
+encryption with anonymous (B<aNULL>) cipher-suites enabled on both ends.
+SCTs should only be used when the application requires an authenticated
+connection, and wishes to perform additional validation on that identity.
+
 =head1 RETURN VALUES
 
 SSL_CTX_set_ct_validation_callback() and SSL_set_ct_validation_callback()
diff --git a/doc/ssl/SSL_get0_peer_scts.pod b/doc/ssl/SSL_get0_peer_scts.pod
index a2a1a29906..f14ba17a19 100644
--- a/doc/ssl/SSL_get0_peer_scts.pod
+++ b/doc/ssl/SSL_get0_peer_scts.pod
@@ -21,7 +21,7 @@ the peer's certificate for SCTs. Future calls will return the same SCTs.
 
 If no Certificate Transparency validation callback has been set (using
 B<SSL_CTX_set_ct_validation_callback> or B<SSL_set_ct_validation_callback>),
-this function is not guarantee to return all of the SCTs that the peer is
+this function is not guaranteed to return all of the SCTs that the peer is
 capable of sending.
 
 =head1 RETURN VALUES