X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=doc%2Fapps%2Fs_client.pod;fp=doc%2Fapps%2Fs_client.pod;h=607ece5541687e853f0fb1510c13b9b097470bf2;hp=d794b341c9de861229ce240b52f0f30eaf2cdc48;hb=eb64a6c6762652a5a293819f6934046e8a148c5e;hpb=238d692c6a9b07ce04d896481783478086fedc6d

diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index d794b341c9..607ece5541 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -91,6 +91,8 @@ B<openssl> B<s_client>
 [B<-serverinfo types>]
 [B<-status>]
 [B<-nextprotoneg protocols>]
+[B<-noct|requestct|requirect>]
+[B<-ctlogfile>]
 
 =head1 DESCRIPTION
 
@@ -435,6 +437,23 @@ Empty list of protocols is treated specially and will cause the client to
 advertise support for the TLS extension but disconnect just after
 receiving ServerHello with a list of server supported protocols.
 
+=item B<-noct|requestct|requirect>
+
+Use one of these three options to control whether Certificate Transparency (CT)
+is disabled (-noct), enabled but not enforced (-requestct), or enabled and
+enforced (-requirect). If CT is enabled, signed certificate timestamps (SCTs)
+will be requested from the server and invalid SCTs will cause the connection to
+be aborted. If CT is enforced, at least one valid SCT from a recognised CT log
+(see B<-ctlogfile>) will be required or the connection will be aborted.
+
+Enabling CT also enables OCSP stapling, as this is one possible delivery method
+for SCTs.
+
+=item B<-ctlogfile>
+
+A file containing a list of known Certificate Transparency logs. See
+L<SSL_CTX_set_ctlog_list_file(3)> for the expected file format.
+
 =back
 
 =head1 CONNECTED COMMANDS