From 98f1ac7df57dbfd8257ed92efbb1bfe89a3e2e68 Mon Sep 17 00:00:00 2001
From: Bodo Moeller <bodo@openssl.org>
Date: Tue, 21 Oct 2014 22:43:08 +0200
Subject: Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
---
 doc/ssl/SSL_CTX_set_mode.pod | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'doc/ssl')

diff --git a/doc/ssl/SSL_CTX_set_mode.pod b/doc/ssl/SSL_CTX_set_mode.pod
index 0bcf5d2afc..2a5aaa555e 100644
--- a/doc/ssl/SSL_CTX_set_mode.pod
+++ b/doc/ssl/SSL_CTX_set_mode.pod
@@ -71,12 +71,16 @@ SSL_CTX->freelist_max_len, which defaults to 32.  Using this flag can
 save around 34k per idle SSL connection.
 This flag has no effect on SSL v2 connections, or on DTLS connections.
 
-=item SSL_MODE_FALLBACK_SCSV
+=item SSL_MODE_SEND_FALLBACK_SCSV
 
 Send TLS_FALLBACK_SCSV in the ClientHello.
-To be set by applications that reconnect with a downgraded protocol
+To be set only by applications that reconnect with a downgraded protocol
 version; see draft-ietf-tls-downgrade-scsv-00 for details.
 
+DO NOT ENABLE THIS if your application attempts a normal handshake.
+Only use this in explicit fallback retries, following the guidance
+in draft-ietf-tls-downgrade-scsv-00.
+
 =back
 
 =head1 RETURN VALUES
-- 
cgit v1.2.3