Update doc of ssl_set_authmode()

2014-03-11 10:50:48 +01:00 · 2014-03-11 10:50:48 +01:00 · e2ce2112ac
commit e2ce2112ac
parent bb4dd37044
1 changed files with 6 additions and 0 deletions
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@ -869,6 +869,12 @@ void ssl_set_endpoint( ssl_context *ssl, int endpoint );
 *
 *  SSL_VERIFY_REQUIRED:  peer *must* present a valid certificate,
 *                        handshake is aborted if verification failed.
+ *
+ * \note On client, SSL_VERIFY_REQUIRED is the recommended mode.
+ * With SSL_VERIFY_OPTIONAL, the user needs to call ssl_get_verify_result() at
+ * the right time(s), which may not be obvious, while REQUIRED always perform
+ * the verification as soon as possible. For example, REQUIRED was protecting
+ * against the "triple handshake" attack even before it was found.
 */
 void ssl_set_authmode( ssl_context *ssl, int authmode );