diff options
-rw-r--r-- | lib/gnutls_priority.c | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 7e714683d4..09eb5ecdd8 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -523,22 +523,25 @@ gnutls_priority_set (gnutls_session_t session, gnutls_priority_t priority) * "%COMPAT" will enable compatibility features for a server. * * "%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation - * completely. Do not use unless you know what you are doing. Testing - * purposes only. - * - * "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is - * now the default for clients, but will change once more servers - * support the safe renegotiation TLS fix). - * - * "%PARTIAL_SAFE_RENEGOTIATION" In server side it will enable safe - * renegotiation and will protect all clients from known attacks, but - * will not prevent insecure clients from connecting. In client side - * it will disallow from renegotiating with an insecure server but - * will not prevent connecting to one (this leaves the client - * vulnerable to attacks). - * - * "%SAFE_RENEGOTIATION" will enforce safe renegotiation. Clients and - * Servers will refuse to talk to an insecure peer. + * completely. Do not use unless you know what you are doing. + * Testing purposes only. + * + * "%UNSAFE_RENEGOTIATION" will allow handshakes and rehandshakes + * without the safe renegotiation extension. Note that for clients + * this mode is insecure (you may be under attack), and for servers it + * will allow insecure clients to connect (which could be fooled by an + * attacker). Do not use unless you know what you are doing and want + * maximum compatibility. + * + * "%PARTIAL_RENEGOTIATION" will allow initial handshakes to proceed, + * but not rehandshakes. This leaves the client vulnerable to attack, + * and servers will be compatible with non-upgraded clients for + * initial handshakes. This is currently the default for clients and + * servers, for compatibility reasons. + * + * "%SAFE_RENEGOTIATION" will enforce safe renegotiation. Clients and + * servers will refuse to talk to an insecure peer. Currently this + * causes operability problems, but is required for full protection. * * "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client * hello. |