From: Bodo Moeller Date: Tue, 21 Oct 2014 20:40:41 +0000 (+0200) Subject: Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation. X-Git-Tag: OpenSSL_1_0_1k~108 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=d47aebbb476c63867c90826d93ab5d2565fe1e5c;p=oweals%2Fopenssl.git Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation. Reviewed-by: Rich Salz --- diff --git a/doc/ssl/SSL_CTX_set_mode.pod b/doc/ssl/SSL_CTX_set_mode.pod index 8cb669daeb..2a5aaa555e 100644 --- a/doc/ssl/SSL_CTX_set_mode.pod +++ b/doc/ssl/SSL_CTX_set_mode.pod @@ -71,6 +71,16 @@ SSL_CTX->freelist_max_len, which defaults to 32. Using this flag can save around 34k per idle SSL connection. This flag has no effect on SSL v2 connections, or on DTLS connections. +=item SSL_MODE_SEND_FALLBACK_SCSV + +Send TLS_FALLBACK_SCSV in the ClientHello. +To be set only by applications that reconnect with a downgraded protocol +version; see draft-ietf-tls-downgrade-scsv-00 for details. + +DO NOT ENABLE THIS if your application attempts a normal handshake. +Only use this in explicit fallback retries, following the guidance +in draft-ietf-tls-downgrade-scsv-00. + =back =head1 RETURN VALUES diff --git a/ssl/ssl.h b/ssl/ssl.h index b78a1cce44..e61413c043 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -654,8 +654,13 @@ struct ssl_session_st #define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L #define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L /* Send TLS_FALLBACK_SCSV in the ClientHello. - * To be set by applications that reconnect with a downgraded protocol - * version; see draft-ietf-tls-downgrade-scsv-00 for details. */ + * To be set only by applications that reconnect with a downgraded protocol + * version; see draft-ietf-tls-downgrade-scsv-00 for details. + * + * DO NOT ENABLE THIS if your application attempts a normal handshake. + * Only use this in explicit fallback retries, following the guidance + * in draft-ietf-tls-downgrade-scsv-00. + */ #define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,