1 files changed, 12 insertions, 3 deletions

diff --git a/lib/tls13/post_handshake.c b/lib/tls13/post_handshake.c
index 9543ca896e..c550c198a7 100644
--- a/lib/tls13/post_handshake.c
+++ b/lib/tls13/post_handshake.c
@@ -214,16 +214,25 @@ int _gnutls13_reauth_server(gnutls_session_t session)
  *
  * The former two interrupt the authentication procedure due to the transport
  * layer being interrupted, and the latter because there were pending data prior
- * to peer initiating the re-authentication.
+ * to peer initiating the re-authentication. The server should read/process that
+ * data as unauthenticated and retry calling gnutls_reauth().
  *
  * When this function is called under TLS1.2 or earlier or the peer didn't
  * advertise post-handshake auth, it always fails with
  * %GNUTLS_E_INVALID_REQUEST. The verification of the received peers certificate
- * is delegated to the session or credentials verification callbacks.
+ * is delegated to the session or credentials verification callbacks. A
+ * server can check whether post handshake authentication is supported
+ * by the client by checking the session flags with gnutls_session_get_flags().
  *
  * Prior to calling this function in server side, the function
  * gnutls_certificate_server_set_request() must be called setting expectations
- * for the received certificate (request or require).
+ * for the received certificate (request or require). If none are set
+ * this function will return with %GNUTLS_E_INVALID_REQUEST.
+ *
+ * Note that post handshake authentication is available irrespective
+ * of the initial negotiation type (PSK or certificate). In all cases
+ * however, certificate credentials must be set to the session prior
+ * to calling this function.
  *
  * Returns: %GNUTLS_E_SUCCESS on a successful authentication, otherwise a negative error code.
  **/