- Sending of handshake_failures during renegotiation added
 - Handle two legacy modes differently: SSL_LEGACY_BREAK_HANDSHAKE and SSL_LEGACY_NO_RENEGOTIATION

diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 3d6e42c..dc2619a 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -122,8 +122,9 @@
 #define SSL_RENEGOTIATION_ENABLED       0
 #define SSL_RENEGOTIATION_DISABLED      1
 
-#define SSL_NO_LEGACY_RENEGOTIATION     0
-#define SSL_ALLOW_LEGACY_RENEGOTIATION  1
+#define SSL_LEGACY_NO_RENEGOTIATION     0
+#define SSL_LEGACY_ALLOW_RENEGOTIATION  1
+#define SSL_LEGACY_BREAK_HANDSHAKE      2
 
 #define SSL_MAX_CONTENT_LEN         16384
 
@@ -758,10 +759,25 @@
 
 /**
  * \brief          Prevent or allow legacy renegotiation.
- *                 (Default: SSL_NO_LEGACY_RENEGOTIATION)
- *                 Allowing legacy renegotiation makes the connection
- *                 vulnerable to specific man in the middle attacks.
- *                 (See RFC 5746)
+ *                 (Default: SSL_LEGACY_NO_RENEGOTIATION)
+ *                 
+ *                 SSL_LEGACY_NO_RENEGOTIATION allows connections to
+ *                 be established even if the peer does not support
+ *                 secure renegotiation, but does not allow renegotiation
+ *                 to take place if not secure.
+ *                 (Interoperable and secure option)
+ *
+ *                 SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations
+ *                 with non-upgraded peers. Allowing legacy renegotiation
+ *                 makes the connection vulnerable to specific man in the
+ *                 middle attacks. (See RFC 5746)
+ *                 (Most interoperable and least secure option)
+ *
+ *                 SSL_LEGACY_BREAK_HANDSHAKE breaks off connections
+ *                 if peer does not support secure renegotiation. Results
+ *                 in interoperability issues with non-upgraded peers
+ *                 that do not support renegotiation altogether.
+ *                 (Most secure option, interoperability issues)
  *
  * \param ssl      SSL context
  * \param allow_legacy  Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION or
@@ -914,6 +930,8 @@
 int ssl_handshake_server( ssl_context *ssl );
 void ssl_handshake_wrapup( ssl_context *ssl );
 
+int ssl_send_fatal_handshake_failure( ssl_context *ssl );
+
 int ssl_derive_keys( ssl_context *ssl );
 
 int ssl_read_record( ssl_context *ssl );