Add warnings about disabling replay detection
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 5591e44..2fc1915 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -931,6 +931,9 @@
* Requires: POLARSSL_SSL_TLS_C
* POLARSSL_POLARSSL_PROTO_DTLS
*
+ * \warning Disabling this is often a security risk!
+ * See ssl_set_dtls_anti_replay() for details.
+ *
* Comment this to disable anti-replay in DTLS.
*/
#define POLARSSL_SSL_DTLS_ANTI_REPLAY
@@ -945,6 +948,8 @@
* unless you know for sure amplification cannot be a problem in the
* environment in which your server operates.
*
+ * \warning Disabling this can ba a security risk! (see above)
+ *
* Requires: POLARSSL_SSL_SRV_C
* POLARSSL_POLARSSL_PROTO_DTLS
*
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 91f92f9..0c167bd 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -1279,10 +1279,17 @@
/**
* \brief Enable or disable anti-replay protection for DTLS.
* (DTLS only, no effect on TLS.)
- * Default: enebled.
+ * Default: enabled.
*
* \param ssl SSL context
* \param mode SSL_ANTI_REPLAY_ENABLED or SSL_ANTI_REPLAY_DISABLED.
+ *
+ * \warning Disabling this is a security risk unless the application
+ * protocol handles duplicated packets in a safe way. You
+ * should not disable this without careful consideration.
+ * However, if your application already detects duplicated
+ * packets and needs information about them to adjust its
+ * transmission strategy, then you'll want to disable this.
*/
void ssl_set_dtls_anti_replay( ssl_context *ssl, char mode );
#endif /* POLARSSL_SSL_DTLS_ANTI_REPLAY */