Document TLS::Policy::require_cert_revocation_info

2 files changed, 22 insertions, 1 deletions

diff --git a/doc/manual/tls.rst b/doc/manual/tls.rst
index 2100bb7d3..782e905dc 100644
--- a/doc/manual/tls.rst
+++ b/doc/manual/tls.rst
@@ -705,6 +705,26 @@ policy settings from a file.
 
      Default: false
 
+ .. cpp:function:: size_t minimum_signature_strength() const
+
+     Return the minimum strength (as ``n``, representing ``2**n`` work)
+     we will accept for a signature algorithm on any certificate.
+
+     Use 80 to enable RSA-1024 (*not recommended*), or 128 to require
+     either ECC or large (~3000 bit) RSA keys.
+
+     Default: 110 (allowing 2048 bit RSA)
+
+ .. cpp:function:: bool require_cert_revocation_info() const
+
+     If this function returns true, and a ciphersuite using certificates was
+     negotiated, then we must have access to a valid CRL or OCSP response in
+     order to trust the certificate.
+
+     .. warning:: Returning false here could expose you to attacks
+
+     Default: true
+
  .. cpp:function:: std::string dh_group() const
 
      For ephemeral Diffie-Hellman key exchange, the server sends a
diff --git a/src/cli/tls_client.cpp b/src/cli/tls_client.cpp
index b6cb43ff9..30871791c 100644
--- a/src/cli/tls_client.cpp
+++ b/src/cli/tls_client.cpp
@@ -263,7 +263,8 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks
          if(cert_chain.empty())
             throw std::invalid_argument("Certificate chain was empty");
 
-         Botan::Path_Validation_Restrictions restrictions(true, policy.minimum_signature_strength());
+         Botan::Path_Validation_Restrictions restrictions(policy.require_cert_revocation_info(),
+                                                          policy.minimum_signature_strength());
 
          auto ocsp_timeout = std::chrono::milliseconds(1000);