From eb64a6c6762652a5a293819f6934046e8a148c5e Mon Sep 17 00:00:00 2001 From: Rob Percival Date: Thu, 3 Mar 2016 14:07:28 +0000 Subject: [PATCH] Documentation for new CT s_client flags Reviewed-by: Ben Laurie Reviewed-by: Rich Salz --- CHANGES | 5 +++++ NEWS | 1 + doc/apps/s_client.pod | 19 +++++++++++++++++++ 3 files changed, 25 insertions(+) diff --git a/CHANGES b/CHANGES index 8869e0b9ce..8c4d9a50c6 100644 --- a/CHANGES +++ b/CHANGES @@ -873,6 +873,11 @@ whose return value is often ignored. [Steve Henson] + *) New -noct, -requestct, -requirect and -ctlogfile options for s_client. + These allow SCTs (signed certificate timestamps) to be requested and + validated when establishing a connection. + [Rob Percival ] + Changes between 1.0.2f and 1.0.2g [1 Mar 2016] * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. diff --git a/NEWS b/NEWS index cfcca0e6c3..240bd0a001 100644 --- a/NEWS +++ b/NEWS @@ -39,6 +39,7 @@ o Support for X25519 o Extended SSL_CONF support using configuration files o KDF algorithm support. Implement TLS PRF as a KDF. + o Support for Certificate Transparency Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016] diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index d794b341c9..607ece5541 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -91,6 +91,8 @@ B B [B<-serverinfo types>] [B<-status>] [B<-nextprotoneg protocols>] +[B<-noct|requestct|requirect>] +[B<-ctlogfile>] =head1 DESCRIPTION @@ -435,6 +437,23 @@ Empty list of protocols is treated specially and will cause the client to advertise support for the TLS extension but disconnect just after receiving ServerHello with a list of server supported protocols. +=item B<-noct|requestct|requirect> + +Use one of these three options to control whether Certificate Transparency (CT) +is disabled (-noct), enabled but not enforced (-requestct), or enabled and +enforced (-requirect). If CT is enabled, signed certificate timestamps (SCTs) +will be requested from the server and invalid SCTs will cause the connection to +be aborted. If CT is enforced, at least one valid SCT from a recognised CT log +(see B<-ctlogfile>) will be required or the connection will be aborted. + +Enabling CT also enables OCSP stapling, as this is one possible delivery method +for SCTs. + +=item B<-ctlogfile> + +A file containing a list of known Certificate Transparency logs. See +L for the expected file format. + =back =head1 CONNECTED COMMANDS -- 2.34.1