Note that disabling SSL_RENEGO doesn't open door for renego attack

commit: 6851b10ec779772472f50415682abf635251c260 [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Thu Oct 12 14:57:48 2017 +0100
committer: Hanno Becker <hanno.becker@arm.com> Tue Oct 17 11:03:50 2017 +0100
tree: a075e76d244a8ad9efef81c082ae996affb0a2f1
parent: 21df7f90d225ca717b9a558260053a712dbc8957 [diff]
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 47c7196..69e997f 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h

@@ -1155,6 +1155,13 @@
  * misuse/misunderstand.
  *
  * Comment this to disable support for renegotiation.
+ *
+ * \note   Even if this option is disabled, both client and server are aware
+ *         of the Renegotiation Indication Extension (RFC 5746) used to
+ *         prevent the SSL renegotiation attack (see RFC 5746 Sect. 1).
+ *         (See \c mbedtls_ssl_conf_legacy_renegotiation for the
+ *          configuration of this extension).
+ *
  */
 #define MBEDTLS_SSL_RENEGOTIATION
commit	6851b10ec779772472f50415682abf635251c260	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Thu Oct 12 14:57:48 2017 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Tue Oct 17 11:03:50 2017 +0100
tree	a075e76d244a8ad9efef81c082ae996affb0a2f1
parent	21df7f90d225ca717b9a558260053a712dbc8957 [diff]