Add comments on the use of the renego SCSV and the renego ext

commit: 40f8b512210f542e3fd3c34c9c95addba039d6b7 [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Thu Oct 12 14:58:55 2017 +0100
committer: Hanno Becker <hanno.becker@arm.com> Tue Oct 17 11:03:50 2017 +0100
tree: ecb05cb715ddc07923f373272d600044299dd2ef
parent: 6851b10ec779772472f50415682abf635251c260 [diff] [blame]
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 544c8cf..335379f 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c

@@ -134,6 +134,9 @@
 
     *olen = 0;
 
+    /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
+     * initial ClientHello, in which case also adding the renegotiation
+     * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
     if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
         return;
 
@@ -971,6 +974,8 @@
     ext_len += olen;
 #endif
 
+    /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
+     * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
 #if defined(MBEDTLS_SSL_RENEGOTIATION)
     ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
     ext_len += olen;
commit	40f8b512210f542e3fd3c34c9c95addba039d6b7	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Thu Oct 12 14:58:55 2017 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Tue Oct 17 11:03:50 2017 +0100
tree	ecb05cb715ddc07923f373272d600044299dd2ef
parent	6851b10ec779772472f50415682abf635251c260 [diff] [blame]