Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Bodo Moeller <bodo@openssl.org> 2014-10-21 22:40:41 +0200
committer: Bodo Moeller <bodo@openssl.org> 2014-10-21 22:40:41 +0200
commit: d47aebbb476c63867c90826d93ab5d2565fe1e5c (patch)
tree: 9eebe4fbef02c037eb4069f77eeb714cda0da54c /ssl/ssl.h
parent: 08931f1cd678ede5735825fb451fdb273a0177ed (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/ssl/ssl.h b/ssl/ssl.h
index b78a1cce44..e61413c043 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -654,8 +654,13 @@ struct ssl_session_st
 #define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L
 #define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L
 /* Send TLS_FALLBACK_SCSV in the ClientHello.
- * To be set by applications that reconnect with a downgraded protocol
- * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
+ * To be set only by applications that reconnect with a downgraded protocol
+ * version; see draft-ietf-tls-downgrade-scsv-00 for details.
+ *
+ * DO NOT ENABLE THIS if your application attempts a normal handshake.
+ * Only use this in explicit fallback retries, following the guidance
+ * in draft-ietf-tls-downgrade-scsv-00.
+ */
 #define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
 
 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
author	Bodo Moeller <bodo@openssl.org>	2014-10-21 22:40:41 +0200
committer	Bodo Moeller <bodo@openssl.org>	2014-10-21 22:40:41 +0200
commit	d47aebbb476c63867c90826d93ab5d2565fe1e5c (patch)
tree	9eebe4fbef02c037eb4069f77eeb714cda0da54c /ssl/ssl.h
parent	08931f1cd678ede5735825fb451fdb273a0177ed (diff)