diff options
Diffstat (limited to 'secure/lib/libcrypto/man/SSL_CTX_set_ct_validation_callback.3')
-rw-r--r-- | secure/lib/libcrypto/man/SSL_CTX_set_ct_validation_callback.3 | 62 |
1 files changed, 33 insertions, 29 deletions
diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_ct_validation_callback.3 b/secure/lib/libcrypto/man/SSL_CTX_set_ct_validation_callback.3 index 84d916e9a7675..59be2ec7190c3 100644 --- a/secure/lib/libcrypto/man/SSL_CTX_set_ct_validation_callback.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_ct_validation_callback.3 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" Automatically generated by Pod::Man 4.10 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== @@ -54,16 +54,20 @@ .\" Avoid warning from groff about undefined register 'F'. .de IX .. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{\ +. if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" .. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} . \} .\} +.rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. @@ -129,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_SET_CT_VALIDATION_CALLBACK 3" -.TH SSL_CTX_SET_CT_VALIDATION_CALLBACK 3 "2018-11-20" "1.1.1a" "OpenSSL" +.TH SSL_CTX_SET_CT_VALIDATION_CALLBACK 3 "2019-02-26" "1.1.1b" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -158,7 +162,7 @@ ssl_ct_validation_cb, SSL_enable_ct, SSL_CTX_enable_ct, SSL_disable_ct, SSL_CTX_ .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_enable_ct()\fR and \fISSL_CTX_enable_ct()\fR enable the processing of signed +\&\fBSSL_enable_ct()\fR and \fBSSL_CTX_enable_ct()\fR enable the processing of signed certificate timestamps (SCTs) either for a given \s-1SSL\s0 connection or for all connections that share the given \s-1SSL\s0 context, respectively. This is accomplished by setting a built-in \s-1CT\s0 validation callback. @@ -174,10 +178,10 @@ despite lack of valid SCTs. However, in that case if the verification status before the built-in callback was \fBX509_V_OK\fR it will be set to \fBX509_V_ERR_NO_VALID_SCTS\fR after the callback. -Applications can call \fISSL_get_verify_result\fR\|(3) to check the status at +Applications can call \fBSSL_get_verify_result\fR\|(3) to check the status at handshake completion, even after session resumption since the verification status is part of the saved session state. -See \fISSL_set_verify\fR\|(3), <\fISSL_get_verify_result\fR\|(3)>, \fISSL_session_reused\fR\|(3). +See \fBSSL_set_verify\fR\|(3), <\fBSSL_get_verify_result\fR\|(3)>, \fBSSL_session_reused\fR\|(3). .PP If \fBvalidation_mode\fR is equal to \fB\s-1SSL_CT_VALIDATION_PERMISSIVE\s0\fR, then the handshake continues, and the verification status is not modified, regardless of @@ -190,7 +194,7 @@ Therefore, in applications that delay \s-1SCT\s0 policy enforcement until after handshake completion, such delayed \s-1SCT\s0 checks should only be performed when the session is not resumed. .PP -\&\fISSL_set_ct_validation_callback()\fR and \fISSL_CTX_set_ct_validation_callback()\fR +\&\fBSSL_set_ct_validation_callback()\fR and \fBSSL_CTX_set_ct_validation_callback()\fR register a custom callback that may implement a different policy than either of the above. This callback can examine the peer's SCTs and determine whether they are @@ -211,25 +215,25 @@ employing an anonymous (aNULL) cipher suite. In that case the handshake continues as it would had no callback been requested. Callbacks are also not invoked when the peer certificate chain is invalid or -validated via \s-1\fIDANE\-TA\s0\fR\|(2) or \s-1\fIDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records which use a private X.509 +validated via \s-1\fBDANE\-TA\s0\fR\|(2) or \s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records which use a private X.509 \&\s-1PKI,\s0 or no X.509 \s-1PKI\s0 at all, respectively. Clients that require SCTs are expected to not have enabled any aNULL ciphers -nor to have specified server verification via \s-1\fIDANE\-TA\s0\fR\|(2) or \s-1\fIDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 +nor to have specified server verification via \s-1\fBDANE\-TA\s0\fR\|(2) or \s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records. .PP -\&\fISSL_disable_ct()\fR and \fISSL_CTX_disable_ct()\fR turn off \s-1CT\s0 processing, whether +\&\fBSSL_disable_ct()\fR and \fBSSL_CTX_disable_ct()\fR turn off \s-1CT\s0 processing, whether enabled via the built-in or the custom callbacks, by setting a \s-1NULL\s0 callback. These may be implemented as macros. .PP -\&\fISSL_ct_is_enabled()\fR and \fISSL_CTX_ct_is_enabled()\fR return 1 if \s-1CT\s0 processing is -enabled via either \fISSL_enable_ct()\fR or a non-null custom callback, and 0 +\&\fBSSL_ct_is_enabled()\fR and \fBSSL_CTX_ct_is_enabled()\fR return 1 if \s-1CT\s0 processing is +enabled via either \fBSSL_enable_ct()\fR or a non-null custom callback, and 0 otherwise. .SH "NOTES" .IX Header "NOTES" When \s-1SCT\s0 processing is enabled, \s-1OCSP\s0 stapling will be enabled. This is because one possible source of SCTs is the \s-1OCSP\s0 response from a server. .PP -The time returned by \fISSL_SESSION_get_time()\fR will be used to evaluate whether any +The time returned by \fBSSL_SESSION_get_time()\fR will be used to evaluate whether any presented SCTs have timestamps that are in the future (and therefore invalid). .SH "RESTRICTIONS" .IX Header "RESTRICTIONS" @@ -238,25 +242,25 @@ be set if a custom client extension handler has been registered to handle \s-1SC extensions (\fBTLSEXT_TYPE_signed_certificate_timestamp\fR). .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fISSL_enable_ct()\fR, \fISSL_CTX_enable_ct()\fR, \fISSL_CTX_set_ct_validation_callback()\fR and -\&\fISSL_set_ct_validation_callback()\fR return 1 if the \fBcallback\fR is successfully +\&\fBSSL_enable_ct()\fR, \fBSSL_CTX_enable_ct()\fR, \fBSSL_CTX_set_ct_validation_callback()\fR and +\&\fBSSL_set_ct_validation_callback()\fR return 1 if the \fBcallback\fR is successfully set. They return 0 if an error occurs, e.g. a custom client extension handler has been setup to handle SCTs. .PP -\&\fISSL_disable_ct()\fR and \fISSL_CTX_disable_ct()\fR do not return a result. +\&\fBSSL_disable_ct()\fR and \fBSSL_CTX_disable_ct()\fR do not return a result. .PP -\&\fISSL_CTX_ct_is_enabled()\fR and \fISSL_ct_is_enabled()\fR return a 1 if a non-null \s-1CT\s0 +\&\fBSSL_CTX_ct_is_enabled()\fR and \fBSSL_ct_is_enabled()\fR return a 1 if a non-null \s-1CT\s0 validation callback is set, or 0 if no callback (or equivalently a \s-1NULL\s0 callback) is set. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(7), -<\fISSL_get_verify_result\fR\|(3)>, -\&\fISSL_session_reused\fR\|(3), -\&\fISSL_set_verify\fR\|(3), -\&\fISSL_CTX_set_verify\fR\|(3), -\&\fISSL_SESSION_get_time\fR\|(3) +\&\fBssl\fR\|(7), +<\fBSSL_get_verify_result\fR\|(3)>, +\&\fBSSL_session_reused\fR\|(3), +\&\fBSSL_set_verify\fR\|(3), +\&\fBSSL_CTX_set_verify\fR\|(3), +\&\fBSSL_SESSION_get_time\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved. |