From 36cc1390f265ce5f07a8841c106a6e1e7e021678 Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Thu, 10 Mar 2016 10:37:31 -0500 Subject: Add doc on when to use SCT callback. With help from Viktor. Reviewed-by: Viktor Dukhovni --- doc/ssl/SSL_CTX_set_ct_validation_callback.pod | 6 ++++++ doc/ssl/SSL_get0_peer_scts.pod | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/ssl/SSL_CTX_set_ct_validation_callback.pod b/doc/ssl/SSL_CTX_set_ct_validation_callback.pod index 59ab293c0a..167a044536 100644 --- a/doc/ssl/SSL_CTX_set_ct_validation_callback.pod +++ b/doc/ssl/SSL_CTX_set_ct_validation_callback.pod @@ -42,6 +42,12 @@ Certificate Transparency validation cannot be enabled and so a callback cannot be set if a custom client extension handler has been registered to handle SCT extensions (B). +If an SCT callback is enabled, a handshake may fail if the peer does +not provide a certificate, which can happen when using opportunistic +encryption with anonymous (B) cipher-suites enabled on both ends. +SCTs should only be used when the application requires an authenticated +connection, and wishes to perform additional validation on that identity. + =head1 RETURN VALUES SSL_CTX_set_ct_validation_callback() and SSL_set_ct_validation_callback() diff --git a/doc/ssl/SSL_get0_peer_scts.pod b/doc/ssl/SSL_get0_peer_scts.pod index a2a1a29906..f14ba17a19 100644 --- a/doc/ssl/SSL_get0_peer_scts.pod +++ b/doc/ssl/SSL_get0_peer_scts.pod @@ -21,7 +21,7 @@ the peer's certificate for SCTs. Future calls will return the same SCTs. If no Certificate Transparency validation callback has been set (using B or B), -this function is not guarantee to return all of the SCTs that the peer is +this function is not guaranteed to return all of the SCTs that the peer is capable of sending. =head1 RETURN VALUES -- cgit v1.2.3