From 98f1ac7df57dbfd8257ed92efbb1bfe89a3e2e68 Mon Sep 17 00:00:00 2001
From: Bodo Moeller <bodo@openssl.org>
Date: Tue, 21 Oct 2014 22:43:08 +0200
Subject: Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
---
 ssl/ssl.h | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'ssl')

diff --git a/ssl/ssl.h b/ssl/ssl.h
index a0db4f2a21..f45264ce59 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -686,8 +686,13 @@ struct ssl_session_st
 #define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L
 #define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L
 /* Send TLS_FALLBACK_SCSV in the ClientHello.
- * To be set by applications that reconnect with a downgraded protocol
- * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
+ * To be set only by applications that reconnect with a downgraded protocol
+ * version; see draft-ietf-tls-downgrade-scsv-00 for details.
+ *
+ * DO NOT ENABLE THIS if your application attempts a normal handshake.
+ * Only use this in explicit fallback retries, following the guidance
+ * in draft-ietf-tls-downgrade-scsv-00.
+ */
 #define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
 
 /* Cert related flags */
-- 
cgit v1.2.3