#include <openssl/ssl.h>
typedef int (*ssl_ct_validation_cb)(const CT_POLICY_EVAL_CTX *ctx,
const STACK_OF(SCT) *scts, void *arg);
int SSL_enable_ct(SSL *s, int validation_mode);
int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode);
int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
void *arg);
int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
ssl_ct_validation_cb callback,
void *arg);
void SSL_disable_ct(SSL *s);
void SSL_CTX_disable_ct(SSL_CTX *ctx);
int SSL_ct_is_enabled(const SSL *s);
int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx);
DESCRIPTION
SSL_enable_ct() and SSL_CTX_enable_ct() enable the processing of signed certificate timestamps (SCTs) either for a given SSL connection or for all connections that share the given SSL context, respectively. This is accomplished by setting a built-in CT validation callback. The behaviour of the callback is determined by the validation_mode argument, which can be either of SSL_CT_VALIDATION_PERMISSIVE or SSL_CT_VALIDATION_STRICT as described below.
If validation_mode is equal to SSL_CT_VALIDATION_STRICT, then in a full TLS handshake with the verification mode set to SSL_VERIFY_PEER, if the peer presents no valid SCTs the handshake will be aborted. If the verification mode is SSL_VERIFY_NONE, the handshake will continue despite lack of valid SCTs. However, in that case if the verification status before the built-in callback was X509_V_OK it will be set to X509_V_ERR_NO_VALID_SCTS after the callback. Applications can call SSL_set_verify(3), <SSL_get_verify_result(3)>, NOTES