Add some documentation of SSL_CTX_set_tlsext_status_type()

The previous commit added SSL_CTX_set_tlsext_status_type(). This one adds
some documentation for it.

Reviewed-by: Rich Salz <rsalz@openssl.org>

diff --git a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
index b8147baecf98b9d036d177630586f961684e2423..01481385e767e01987561cd66a22cc4e590039f1 100644 (file)
--- a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
+++ b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
@@ -3,8 +3,9 @@
 =head1 NAME
 
 SSL_CTX_set_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg,
-SSL_set_tlsext_status_type, SSL_get_tlsext_status_ocsp_resp,
-SSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions
+SSL_CTX_set_tlsext_status_type, SSL_set_tlsext_status_type,
+SSL_get_tlsext_status_ocsp_resp, SSL_set_tlsext_status_ocsp_resp - OCSP
+Certificate Status Request functions
 
 =head1 SYNOPSIS
 
@@ -14,6 +15,8 @@ SSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions
                                    int (*callback)(SSL *, void *));
  long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
 
+ long SSL_CTX_set_tlsext_status_type(SSL_CTX *ctx, int type);
+
  long SSL_set_tlsext_status_type(SSL *s, int type);
 
  long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);
@@ -23,16 +26,19 @@ SSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions
 
 A client application may request that a server send back an OCSP status response
 (also known as OCSP stapling). To do so the client should call the
-SSL_set_tlsext_status_type() function prior to the start of the handshake.
+SSL_CTX_set_tlsext_status_type() function prior to the creation of any SSL
+objects. Alternatively an application can call the SSL_set_tlsext_status_type()
+function on an individual SSL object prior to the start of the handshake.
 Currently the only supported type is B<TLSEXT_STATUSTYPE_ocsp>. This value
-should be passed in the B<type> argument. The client should additionally provide
-a callback function to decide what to do with the returned OCSP response by
-calling SSL_CTX_set_tlsext_status_cb(). The callback function should determine
-whether the returned OCSP response is acceptable or not. The callback will be
-passed as an argument the value previously set via a call to
-SSL_CTX_set_tlsext_status_arg(). Note that the callback will not be called in
-the event of a handshake where session resumption occurs (because there are no
-Certificates exchanged in such a handshake).
+should be passed in the B<type> argument.
+
+The client should additionally provide a callback function to decide what to do
+with the returned OCSP response by calling SSL_CTX_set_tlsext_status_cb(). The
+callback function should determine whether the returned OCSP response is
+acceptable or not. The callback will be passed as an argument the value
+previously set via a call to SSL_CTX_set_tlsext_status_arg(). Note that the
+callback will not be called in the event of a handshake where session resumption
+occurs (because there are no Certificates exchanged in such a handshake).
 
 The response returned by the server can be obtained via a call to
 SSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to point
@@ -64,10 +70,14 @@ returned) or SSL_TLSEXT_ERR_ALERT_FATAL (meaning that a fatal error has
 occurred).
 
 SSL_CTX_set_tlsext_status_cb(), SSL_CTX_set_tlsext_status_arg(),
-SSL_set_tlsext_status_type() and SSL_set_tlsext_status_ocsp_resp() return 0 on
-error or 1 on success.
+SSL_CTX_set_tlsext_status_type(), SSL_set_tlsext_status_type() and
+SSL_set_tlsext_status_ocsp_resp() return 0 on error or 1 on success.
 
 SSL_get_tlsext_status_ocsp_resp() returns the length of the OCSP response data
 or -1 if there is no OCSP response data.
 
+=head1 HISTORY
+
+SSL_CTX_set_tlsext_status_type() was added in OpenSSL 1.1.0.
+
 =cut