Documentation for new CT s_client flags

Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

diff --git a/CHANGES b/CHANGES
index 8869e0b9cef0ea345ccb92b59e2932ae34219c08..8c4d9a50c65f0250211ffe4fcb93999e850401f1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -873,6 +873,11 @@
      whose return value is often ignored. 
      [Steve Henson]
 
      whose return value is often ignored. 
      [Steve Henson]
 

+  *) New -noct, -requestct, -requirect and -ctlogfile options for s_client.
+     These allow SCTs (signed certificate timestamps) to be requested and
+     validated when establishing a connection.
+     [Rob Percival <robpercival@google.com>]
+

  Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
 
   * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
  Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
 
   * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.

diff --git a/NEWS b/NEWS
index cfcca0e6c360f1cfaf7b0fc93c7bcb8f73e0910a..240bd0a0018b38e7b0208968bb6e464571ae2a1a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -39,6 +39,7 @@
       o Support for X25519
       o Extended SSL_CONF support using configuration files
       o KDF algorithm support. Implement TLS PRF as a KDF.
       o Support for X25519
       o Extended SSL_CONF support using configuration files
       o KDF algorithm support. Implement TLS PRF as a KDF.

+      o Support for Certificate Transparency

 
   Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
 
 
   Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
 

diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index d794b341c9de861229ce240b52f0f30eaf2cdc48..607ece5541687e853f0fb1510c13b9b097470bf2 100644 (file)
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -91,6 +91,8 @@ B<openssl> B<s_client>
 [B<-serverinfo types>]
 [B<-status>]
 [B<-nextprotoneg protocols>]
 [B<-serverinfo types>]
 [B<-status>]
 [B<-nextprotoneg protocols>]

+[B<-noct|requestct|requirect>]
+[B<-ctlogfile>]

 
 =head1 DESCRIPTION
 
 
 =head1 DESCRIPTION
 


@@ -435,6 +437,23 @@ Empty list of protocols is treated specially and will cause the client to
 advertise support for the TLS extension but disconnect just after
 receiving ServerHello with a list of server supported protocols.
 
 advertise support for the TLS extension but disconnect just after
 receiving ServerHello with a list of server supported protocols.
 

+=item B<-noct|requestct|requirect>
+
+Use one of these three options to control whether Certificate Transparency (CT)
+is disabled (-noct), enabled but not enforced (-requestct), or enabled and
+enforced (-requirect). If CT is enabled, signed certificate timestamps (SCTs)
+will be requested from the server and invalid SCTs will cause the connection to
+be aborted. If CT is enforced, at least one valid SCT from a recognised CT log
+(see B<-ctlogfile>) will be required or the connection will be aborted.
+
+Enabling CT also enables OCSP stapling, as this is one possible delivery method
+for SCTs.
+
+=item B<-ctlogfile>
+
+A file containing a list of known Certificate Transparency logs. See
+L<SSL_CTX_set_ctlog_list_file(3)> for the expected file format.
+

 =back
 
 =head1 CONNECTED COMMANDS
 =back
 
 =head1 CONNECTED COMMANDS