Check that SCT timestamps are not in the future

Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1554)
author: Rob Percival <robpercival@google.com> 2016-09-08 16:02:46 +0100
committer: Rich Salz <rsalz@openssl.org> 2016-11-15 16:12:41 -0500
commit: 1fa9ffd934429f140edcfbaf76d2f32cc21e449b (patch)
tree: 6fb2ae2a0d3e11febb094acc8e3df03621000ab1 /doc/man3/SSL_CTX_set_ct_validation_callback.pod
parent: 7b176a549ea374fc9b64c3fa7f0812239528b696 (diff)
download: openssl-1fa9ffd934429f140edcfbaf76d2f32cc21e449b.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/doc/man3/SSL_CTX_set_ct_validation_callback.pod b/doc/man3/SSL_CTX_set_ct_validation_callback.pod
index a6cbe8f527..d818e00fc5 100644
--- a/doc/man3/SSL_CTX_set_ct_validation_callback.pod
+++ b/doc/man3/SSL_CTX_set_ct_validation_callback.pod
@@ -97,6 +97,9 @@ otherwise.
 When SCT processing is enabled, OCSP stapling will be enabled. This is because
 one possible source of SCTs is the OCSP response from a server.
 
+The time returned by SSL_SESSION_get_time() will be used to evaluate whether any
+presented SCTs have timestamps that are in the future (and therefore invalid).
+
 =head1 RESTRICTIONS
 
 Certificate Transparency validation cannot be enabled and so a callback cannot
@@ -124,7 +127,8 @@ L<ssl(7)>,
 L<SSL_session_reused(3)>,
 L<SSL_set_verify(3)>,
 L<SSL_CTX_set_verify(3)>,
-L<ssl_ct_validation_cb(3)>
+L<ssl_ct_validation_cb(3)>,
+L<SSL_SESSION_get_time(3)>
 
 =head1 COPYRIGHT
author	Rob Percival <robpercival@google.com>	2016-09-08 16:02:46 +0100
committer	Rich Salz <rsalz@openssl.org>	2016-11-15 16:12:41 -0500
commit	1fa9ffd934429f140edcfbaf76d2f32cc21e449b (patch)
tree	6fb2ae2a0d3e11febb094acc8e3df03621000ab1 /doc/man3/SSL_CTX_set_ct_validation_callback.pod
parent	7b176a549ea374fc9b64c3fa7f0812239528b696 (diff)
download	openssl-1fa9ffd934429f140edcfbaf76d2f32cc21e449b.tar.gz