SSL_clear != SSL_free/SSL_new

1 files changed, 19 insertions, 0 deletions

diff --git a/doc/ssl/SSL_clear.pod b/doc/ssl/SSL_clear.pod
index f0aa5e94eb..8e077e31c9 100644
--- a/doc/ssl/SSL_clear.pod
+++ b/doc/ssl/SSL_clear.pod
@@ -25,6 +25,25 @@ if L<SSL_shutdown(3)|SSL_shutdown(3)> was not called for the connection
 or at least L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> was used to
 set the SSL_SENT_SHUTDOWN state.
 
+If a session was closed cleanly, the session object will be kept and all
+settings corresponding. This explicitly means, that e.g. the special method
+used during the session will be kept for the next handshake. So if the
+session was a TLSv1 session, a SSL client object will use a TLSv1 client
+method for the next handshake and a SSL server object will use a TLSv1
+server method, even if SSLv23_*_methods were chosen on startup. This
+will might lead to connection failures (see L<SSL_new(3)|SSL_new(3)>)
+for a description of the method's properties.
+
+=head1 WARNINGS
+
+SSL_clear() resets the SSL object to allow for another connection. The
+reset operation however keeps several settings of the last sessions
+(some of these settings were made automatically during the last
+handshake). It only makes sense when opening a new session (or reusing
+an old one) with the same peer that shares these settings.
+SSL_clear() is not a short form for the sequence
+L<SSL_free(3)|SSL_free(3)>; L<SSL_new(3)|SSL_new(3)>; .
+
 =head1 RETURN VALUES
 
 The following return values can occur: