Add warnings about disabling replay detection

commit: a6fcffe5168d62de33f137eb73b2d5a1bccfe5e7 [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Mon Oct 13 18:15:52 2014 +0200
committer: Paul Bakker <p.j.bakker@polarssl.org> Tue Oct 21 16:32:53 2014 +0200
tree: b305a1a6d57054fee2820e890d734001b93607a7
parent: 37e08e1689abeebcf4f0eb46062d31de5b339f7b [diff] [blame]
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 91f92f9..0c167bd 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h

@@ -1279,10 +1279,17 @@
 /**
  * \brief          Enable or disable anti-replay protection for DTLS.
  *                 (DTLS only, no effect on TLS.)
- *                 Default: enebled.
+ *                 Default: enabled.
  *
  * \param ssl      SSL context
  * \param mode     SSL_ANTI_REPLAY_ENABLED or SSL_ANTI_REPLAY_DISABLED.
+ *
+ * \warning        Disabling this is a security risk unless the application
+ *                 protocol handles duplicated packets in a safe way. You
+ *                 should not disable this without careful consideration.
+ *                 However, if your application already detects duplicated
+ *                 packets and needs information about them to adjust its
+ *                 transmission strategy, then you'll want to disable this.
  */
 void ssl_set_dtls_anti_replay( ssl_context *ssl, char mode );
 #endif /* POLARSSL_SSL_DTLS_ANTI_REPLAY */
commit	a6fcffe5168d62de33f137eb73b2d5a1bccfe5e7	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Mon Oct 13 18:15:52 2014 +0200
committer	Paul Bakker <p.j.bakker@polarssl.org>	Tue Oct 21 16:32:53 2014 +0200
tree	b305a1a6d57054fee2820e890d734001b93607a7
parent	37e08e1689abeebcf4f0eb46062d31de5b339f7b [diff] [blame]