1 files changed, 10 insertions, 3 deletions

diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod
index 2ae6c7f290..47d198a24c 100644
--- a/doc/man3/RSA_public_encrypt.pod
+++ b/doc/man3/RSA_public_encrypt.pod
@@ -94,10 +94,17 @@ design. Prefer RSA_PKCS1_OAEP_PADDING.
 
 In OpenSSL before version 3.2.0, both the return value and the length of
 returned value could be used to mount the Bleichenbacher attack.
-Since version 3.2.0, OpenSSL does not return an error in case of padding
-checks failed. Instead it generates a random message based on used private
+Since version 3.2.0, the default provider in OpenSSL does not return an
+error when padding checks fail. Instead it generates a random
+message based on used private
 key and provided ciphertext so that application code doesn't have to implement
 a side-channel secure error handling.
+Applications that want to be secure against side-channel attacks with
+providers that don't implement implicit rejection, still need to
+handle the returned values using side-channel free code.
+Side-channel free handling of the error stack can be performed using
+either a pair of unconditional L<ERR_set_mark(3)> and L<ERR_pop_to_mark(3)>
+calls or by using the L<ERR_clear_error(3)> call.
 
 =head1 CONFORMING TO
 
@@ -106,7 +113,7 @@ SSL, PKCS #1 v2.0
 =head1 SEE ALSO
 
 L<ERR_get_error(3)>, L<RAND_bytes(3)>,
-L<RSA_size(3)>
+L<RSA_size(3)>, L<EVP_PKEY_decrypt(3)>, L<EVP_PKEY_encrypt(3)>
 
 =head1 HISTORY