generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Documentation for new CT s_client flags

Browse Source 
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Rob Percival
2016-03-03 14:07:28 +00:00
committed by Rich Salz
parent 238d692c6a
commit eb64a6c676
3 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -873,6 +873,11 @@
whose return value is often ignored. whose return value is often ignored.
[Steve Henson] [Steve Henson]
*) New -noct, -requestct, -requirect and -ctlogfile options for s_client.
These allow SCTs (signed certificate timestamps) to be requested and
validated when establishing a connection.
[Rob Percival <robpercival@google.com>]
Changes between 1.0.2f and 1.0.2g [1 Mar 2016] Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.

1
NEWS
View File

@@ -39,6 +39,7 @@
o Support for X25519 o Support for X25519
o Extended SSL_CONF support using configuration files o Extended SSL_CONF support using configuration files
o KDF algorithm support. Implement TLS PRF as a KDF. o KDF algorithm support. Implement TLS PRF as a KDF.
o Support for Certificate Transparency
Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016] Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]

19
doc/apps/s_client.pod
View File

@@ -91,6 +91,8 @@ B<openssl> B<s_client>
[B<-serverinfo types>] [B<-serverinfo types>]
[B<-status>] [B<-status>]
[B<-nextprotoneg protocols>] [B<-nextprotoneg protocols>]
[B<-noct|requestct|requirect>]
[B<-ctlogfile>]
=head1 DESCRIPTION =head1 DESCRIPTION
@@ -435,6 +437,23 @@ Empty list of protocols is treated specially and will cause the client to
advertise support for the TLS extension but disconnect just after advertise support for the TLS extension but disconnect just after
receiving ServerHello with a list of server supported protocols. receiving ServerHello with a list of server supported protocols.
=item B<-noct|requestct|requirect>
Use one of these three options to control whether Certificate Transparency (CT)
is disabled (-noct), enabled but not enforced (-requestct), or enabled and
enforced (-requirect). If CT is enabled, signed certificate timestamps (SCTs)
will be requested from the server and invalid SCTs will cause the connection to
be aborted. If CT is enforced, at least one valid SCT from a recognised CT log
(see B<-ctlogfile>) will be required or the connection will be aborted.
Enabling CT also enables OCSP stapling, as this is one possible delivery method
for SCTs.
=item B<-ctlogfile>
A file containing a list of known Certificate Transparency logs. See
L<SSL_CTX_set_ctlog_list_file(3)> for the expected file format.
=back =back
=head1 CONNECTED COMMANDS =head1 CONNECTED COMMANDS