mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-03-25 20:00:44 +08:00
Code Issues Packages Projects Releases Wiki Activity

Documentation for new CT s_client flags

Browse Source 
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Rob Percival 2016-03-03 14:07:28 +00:00 committed by Rich Salz
parent 238d692c6a
commit eb64a6c676
3 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@ -873,6 +873,11 @@
whose return value is often ignored.
[Steve Henson]
*) New -noct, -requestct, -requirect and -ctlogfile options for s_client.
These allow SCTs (signed certificate timestamps) to be requested and
validated when establishing a connection.
[Rob Percival <robpercival@google.com>]
Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.

1
NEWS
View File

@ -39,6 +39,7 @@
o Support for X25519
o Extended SSL_CONF support using configuration files
o KDF algorithm support. Implement TLS PRF as a KDF.
o Support for Certificate Transparency
Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]

19
doc/apps/s_client.pod
View File

@ -91,6 +91,8 @@ B<openssl> B<s_client>
[B<-serverinfo types>]
[B<-status>]
[B<-nextprotoneg protocols>]
[B<-noct|requestct|requirect>]
[B<-ctlogfile>]
=head1 DESCRIPTION
@ -435,6 +437,23 @@ Empty list of protocols is treated specially and will cause the client to
advertise support for the TLS extension but disconnect just after
receiving ServerHello with a list of server supported protocols.
=item B<-noct|requestct|requirect>
Use one of these three options to control whether Certificate Transparency (CT)
is disabled (-noct), enabled but not enforced (-requestct), or enabled and
enforced (-requirect). If CT is enabled, signed certificate timestamps (SCTs)
will be requested from the server and invalid SCTs will cause the connection to
be aborted. If CT is enforced, at least one valid SCT from a recognised CT log
(see B<-ctlogfile>) will be required or the connection will be aborted.
Enabling CT also enables OCSP stapling, as this is one possible delivery method
for SCTs.
=item B<-ctlogfile>
A file containing a list of known Certificate Transparency logs. See
L<SSL_CTX_set_ctlog_list_file(3)> for the expected file format.
=back
=head1 CONNECTED COMMANDS