From: Bodo Moeller <bodo@openssl.org>
Date: Tue, 21 Oct 2014 20:41:27 +0000 (+0200)
Subject: Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.
X-Git-Tag: OpenSSL_0_9_8zd~21
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=6a04b0d5a432c7156764529d41aea18dea8010f0;p=oweals%2Fopenssl.git

Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
---

diff --git a/doc/ssl/SSL_CTX_set_mode.pod b/doc/ssl/SSL_CTX_set_mode.pod
index 0ee23433ba..f9b838fe6f 100644
--- a/doc/ssl/SSL_CTX_set_mode.pod
+++ b/doc/ssl/SSL_CTX_set_mode.pod
@@ -61,12 +61,16 @@ deal with read/write operations returning without success report. The
 flag SSL_MODE_AUTO_RETRY will cause read/write operations to only
 return after the handshake and successful completion.
 
-=item SSL_MODE_FALLBACK_SCSV
+=item SSL_MODE_SEND_FALLBACK_SCSV
 
 Send TLS_FALLBACK_SCSV in the ClientHello.
-To be set by applications that reconnect with a downgraded protocol
+To be set only by applications that reconnect with a downgraded protocol
 version; see draft-ietf-tls-downgrade-scsv-00 for details.
 
+DO NOT ENABLE THIS if your application attempts a normal handshake.
+Only use this in explicit fallback retries, following the guidance
+in draft-ietf-tls-downgrade-scsv-00.
+
 =back
 
 =head1 RETURN VALUES
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 6435c5966d..4ea0d80124 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -564,8 +564,13 @@ typedef struct ssl_session_st
 /* Don't attempt to automatically build certificate chain */
 #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
 /* Send TLS_FALLBACK_SCSV in the ClientHello.
- * To be set by applications that reconnect with a downgraded protocol
- * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
+ * To be set only by applications that reconnect with a downgraded protocol
+ * version; see draft-ietf-tls-downgrade-scsv-00 for details.
+ *
+ * DO NOT ENABLE THIS if your application attempts a normal handshake.
+ * Only use this in explicit fallback retries, following the guidance
+ * in draft-ietf-tls-downgrade-scsv-00.
+ */
 #define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L