diff options
-rw-r--r-- | doc/ssl/SSL_CTX_set_ct_validation_callback.pod | 6 | ||||
-rw-r--r-- | doc/ssl/SSL_get0_peer_scts.pod | 2 |
2 files changed, 7 insertions, 1 deletions
diff --git a/doc/ssl/SSL_CTX_set_ct_validation_callback.pod b/doc/ssl/SSL_CTX_set_ct_validation_callback.pod index 59ab293c0a..167a044536 100644 --- a/doc/ssl/SSL_CTX_set_ct_validation_callback.pod +++ b/doc/ssl/SSL_CTX_set_ct_validation_callback.pod @@ -42,6 +42,12 @@ Certificate Transparency validation cannot be enabled and so a callback cannot be set if a custom client extension handler has been registered to handle SCT extensions (B<TLSEXT_TYPE_signed_certificate_timestamp>). +If an SCT callback is enabled, a handshake may fail if the peer does +not provide a certificate, which can happen when using opportunistic +encryption with anonymous (B<aNULL>) cipher-suites enabled on both ends. +SCTs should only be used when the application requires an authenticated +connection, and wishes to perform additional validation on that identity. + =head1 RETURN VALUES SSL_CTX_set_ct_validation_callback() and SSL_set_ct_validation_callback() diff --git a/doc/ssl/SSL_get0_peer_scts.pod b/doc/ssl/SSL_get0_peer_scts.pod index a2a1a29906..f14ba17a19 100644 --- a/doc/ssl/SSL_get0_peer_scts.pod +++ b/doc/ssl/SSL_get0_peer_scts.pod @@ -21,7 +21,7 @@ the peer's certificate for SCTs. Future calls will return the same SCTs. If no Certificate Transparency validation callback has been set (using B<SSL_CTX_set_ct_validation_callback> or B<SSL_set_ct_validation_callback>), -this function is not guarantee to return all of the SCTs that the peer is +this function is not guaranteed to return all of the SCTs that the peer is capable of sending. =head1 RETURN VALUES |