diff options
| author | Simon Josefsson <simon@josefsson.org> | 2010-06-07 16:12:11 +0200 |
|---|---|---|
| committer | Simon Josefsson <simon@josefsson.org> | 2010-06-07 16:12:11 +0200 |
| commit | 414672179d60a511332421dc85df833fbe46b292 (patch) | |
| tree | 6b5d4385deeb4677fd7b69af4d742fc772cad6a6 | |
| parent | c85bff2e336eeda70a4312d1296dd12568cda0c9 (diff) | |
| download | gnutls-414672179d60a511332421dc85df833fbe46b292.tar.gz | |
Doc fix.
| -rw-r--r-- | lib/gnutls_priority.c | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 7e714683d4..09eb5ecdd8 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -523,22 +523,25 @@ gnutls_priority_set (gnutls_session_t session, gnutls_priority_t priority) * "%COMPAT" will enable compatibility features for a server. * * "%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation - * completely. Do not use unless you know what you are doing. Testing - * purposes only. - * - * "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is - * now the default for clients, but will change once more servers - * support the safe renegotiation TLS fix). - * - * "%PARTIAL_SAFE_RENEGOTIATION" In server side it will enable safe - * renegotiation and will protect all clients from known attacks, but - * will not prevent insecure clients from connecting. In client side - * it will disallow from renegotiating with an insecure server but - * will not prevent connecting to one (this leaves the client - * vulnerable to attacks). - * - * "%SAFE_RENEGOTIATION" will enforce safe renegotiation. Clients and - * Servers will refuse to talk to an insecure peer. + * completely. Do not use unless you know what you are doing. + * Testing purposes only. + * + * "%UNSAFE_RENEGOTIATION" will allow handshakes and rehandshakes + * without the safe renegotiation extension. Note that for clients + * this mode is insecure (you may be under attack), and for servers it + * will allow insecure clients to connect (which could be fooled by an + * attacker). Do not use unless you know what you are doing and want + * maximum compatibility. + * + * "%PARTIAL_RENEGOTIATION" will allow initial handshakes to proceed, + * but not rehandshakes. This leaves the client vulnerable to attack, + * and servers will be compatible with non-upgraded clients for + * initial handshakes. This is currently the default for clients and + * servers, for compatibility reasons. + * + * "%SAFE_RENEGOTIATION" will enforce safe renegotiation. Clients and + * servers will refuse to talk to an insecure peer. Currently this + * causes operability problems, but is required for full protection. * * "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client * hello. |