diff options
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | doc/apps/s_client.pod | 19 |
3 files changed, 25 insertions, 0 deletions
@@ -873,6 +873,11 @@ whose return value is often ignored. [Steve Henson] + *) New -noct, -requestct, -requirect and -ctlogfile options for s_client. + These allow SCTs (signed certificate timestamps) to be requested and + validated when establishing a connection. + [Rob Percival <robpercival@google.com>] + Changes between 1.0.2f and 1.0.2g [1 Mar 2016] * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. @@ -39,6 +39,7 @@ o Support for X25519 o Extended SSL_CONF support using configuration files o KDF algorithm support. Implement TLS PRF as a KDF. + o Support for Certificate Transparency Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016] diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index d794b341c9..607ece5541 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -91,6 +91,8 @@ B<openssl> B<s_client> [B<-serverinfo types>] [B<-status>] [B<-nextprotoneg protocols>] +[B<-noct|requestct|requirect>] +[B<-ctlogfile>] =head1 DESCRIPTION @@ -435,6 +437,23 @@ Empty list of protocols is treated specially and will cause the client to advertise support for the TLS extension but disconnect just after receiving ServerHello with a list of server supported protocols. +=item B<-noct|requestct|requirect> + +Use one of these three options to control whether Certificate Transparency (CT) +is disabled (-noct), enabled but not enforced (-requestct), or enabled and +enforced (-requirect). If CT is enabled, signed certificate timestamps (SCTs) +will be requested from the server and invalid SCTs will cause the connection to +be aborted. If CT is enforced, at least one valid SCT from a recognised CT log +(see B<-ctlogfile>) will be required or the connection will be aborted. + +Enabling CT also enables OCSP stapling, as this is one possible delivery method +for SCTs. + +=item B<-ctlogfile> + +A file containing a list of known Certificate Transparency logs. See +L<SSL_CTX_set_ctlog_list_file(3)> for the expected file format. + =back =head1 CONNECTED COMMANDS |