From: Rich Salz Date: Thu, 10 Mar 2016 15:37:31 +0000 (-0500) Subject: Add doc on when to use SCT callback. X-Git-Tag: OpenSSL_1_1_0-pre4~42 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=36cc1390f265ce5f07a8841c106a6e1e7e021678;p=oweals%2Fopenssl.git Add doc on when to use SCT callback. With help from Viktor. Reviewed-by: Viktor Dukhovni --- diff --git a/doc/ssl/SSL_CTX_set_ct_validation_callback.pod b/doc/ssl/SSL_CTX_set_ct_validation_callback.pod index 59ab293c0a..167a044536 100644 --- a/doc/ssl/SSL_CTX_set_ct_validation_callback.pod +++ b/doc/ssl/SSL_CTX_set_ct_validation_callback.pod @@ -42,6 +42,12 @@ Certificate Transparency validation cannot be enabled and so a callback cannot be set if a custom client extension handler has been registered to handle SCT extensions (B). +If an SCT callback is enabled, a handshake may fail if the peer does +not provide a certificate, which can happen when using opportunistic +encryption with anonymous (B) cipher-suites enabled on both ends. +SCTs should only be used when the application requires an authenticated +connection, and wishes to perform additional validation on that identity. + =head1 RETURN VALUES SSL_CTX_set_ct_validation_callback() and SSL_set_ct_validation_callback() diff --git a/doc/ssl/SSL_get0_peer_scts.pod b/doc/ssl/SSL_get0_peer_scts.pod index a2a1a29906..f14ba17a19 100644 --- a/doc/ssl/SSL_get0_peer_scts.pod +++ b/doc/ssl/SSL_get0_peer_scts.pod @@ -21,7 +21,7 @@ the peer's certificate for SCTs. Future calls will return the same SCTs. If no Certificate Transparency validation callback has been set (using B or B), -this function is not guarantee to return all of the SCTs that the peer is +this function is not guaranteed to return all of the SCTs that the peer is capable of sending. =head1 RETURN VALUES