whose return value is often ignored.
[Steve Henson]
+ *) New -noct, -requestct, -requirect and -ctlogfile options for s_client.
+ These allow SCTs (signed certificate timestamps) to be requested and
+ validated when establishing a connection.
+ [Rob Percival <robpercival@google.com>]
+
Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
o Support for X25519
o Extended SSL_CONF support using configuration files
o KDF algorithm support. Implement TLS PRF as a KDF.
+ o Support for Certificate Transparency
Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
[B<-serverinfo types>]
[B<-status>]
[B<-nextprotoneg protocols>]
+[B<-noct|requestct|requirect>]
+[B<-ctlogfile>]
=head1 DESCRIPTION
advertise support for the TLS extension but disconnect just after
receiving ServerHello with a list of server supported protocols.
+=item B<-noct|requestct|requirect>
+
+Use one of these three options to control whether Certificate Transparency (CT)
+is disabled (-noct), enabled but not enforced (-requestct), or enabled and
+enforced (-requirect). If CT is enabled, signed certificate timestamps (SCTs)
+will be requested from the server and invalid SCTs will cause the connection to
+be aborted. If CT is enforced, at least one valid SCT from a recognised CT log
+(see B<-ctlogfile>) will be required or the connection will be aborted.
+
+Enabling CT also enables OCSP stapling, as this is one possible delivery method
+for SCTs.
+
+=item B<-ctlogfile>
+
+A file containing a list of known Certificate Transparency logs. See
+L<SSL_CTX_set_ctlog_list_file(3)> for the expected file format.
+
=back
=head1 CONNECTED COMMANDS