[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Sat Mar 12 18:02:52 UTC 2016

The branch master has been updated
       via  36cc1390f265ce5f07a8841c106a6e1e7e021678 (commit)
      from  4b8574461b92ea64ef048335f942995a09025331 (commit)

- Log -----------------------------------------------------------------
commit 36cc1390f265ce5f07a8841c106a6e1e7e021678
Author: Rich Salz <rsalz at openssl.org>
Date:   Thu Mar 10 10:37:31 2016 -0500

    Add doc on when to use SCT callback.
    With help from Viktor.
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>


Summary of changes:
 doc/ssl/SSL_CTX_set_ct_validation_callback.pod | 6 ++++++
 doc/ssl/SSL_get0_peer_scts.pod                 | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/doc/ssl/SSL_CTX_set_ct_validation_callback.pod b/doc/ssl/SSL_CTX_set_ct_validation_callback.pod
index 59ab293..167a044 100644
--- a/doc/ssl/SSL_CTX_set_ct_validation_callback.pod
+++ b/doc/ssl/SSL_CTX_set_ct_validation_callback.pod
@@ -42,6 +42,12 @@ Certificate Transparency validation cannot be enabled and so a callback cannot
 be set if a custom client extension handler has been registered to handle SCT
 extensions (B<TLSEXT_TYPE_signed_certificate_timestamp>).
+If an SCT callback is enabled, a handshake may fail if the peer does
+not provide a certificate, which can happen when using opportunistic
+encryption with anonymous (B<aNULL>) cipher-suites enabled on both ends.
+SCTs should only be used when the application requires an authenticated
+connection, and wishes to perform additional validation on that identity.
 SSL_CTX_set_ct_validation_callback() and SSL_set_ct_validation_callback()
diff --git a/doc/ssl/SSL_get0_peer_scts.pod b/doc/ssl/SSL_get0_peer_scts.pod
index a2a1a29..f14ba17 100644
--- a/doc/ssl/SSL_get0_peer_scts.pod
+++ b/doc/ssl/SSL_get0_peer_scts.pod
@@ -21,7 +21,7 @@ the peer's certificate for SCTs. Future calls will return the same SCTs.
 If no Certificate Transparency validation callback has been set (using
 B<SSL_CTX_set_ct_validation_callback> or B<SSL_set_ct_validation_callback>),
-this function is not guarantee to return all of the SCTs that the peer is
+this function is not guaranteed to return all of the SCTs that the peer is
 capable of sending.

More information about the openssl-commits mailing list