Documentation for new CT s_client flags

     whose return value is often ignored. 

     [Steve Henson]

  *) New -noct, -requestct, -requirect and -ctlogfile options for s_client.

     These allow SCTs (signed certificate timestamps) to be requested and

     validated when establishing a connection.

     [Rob Percival <robpercival@google.com>]

 Changes between 1.0.2f and 1.0.2g [1 Mar 2016]

  * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.

      o Support for X25519

      o Extended SSL_CONF support using configuration files

      o KDF algorithm support. Implement TLS PRF as a KDF.

      o Support for Certificate Transparency

  Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]

[B<-serverinfo types>]

[B<-status>]

[B<-nextprotoneg protocols>]

[B<-noct|requestct|requirect>]

[B<-ctlogfile>]

=head1 DESCRIPTION

advertise support for the TLS extension but disconnect just after

receiving ServerHello with a list of server supported protocols.

=item B<-noct|requestct|requirect>

Use one of these three options to control whether Certificate Transparency (CT)

is disabled (-noct), enabled but not enforced (-requestct), or enabled and

enforced (-requirect). If CT is enabled, signed certificate timestamps (SCTs)

will be requested from the server and invalid SCTs will cause the connection to

be aborted. If CT is enforced, at least one valid SCT from a recognised CT log

(see B<-ctlogfile>) will be required or the connection will be aborted.

Enabling CT also enables OCSP stapling, as this is one possible delivery method

for SCTs.

=item B<-ctlogfile>

A file containing a list of known Certificate Transparency logs. See

L<SSL_CTX_set_ctlog_list_file(3)> for the expected file format.

=back

=head1 CONNECTED COMMANDS