Update doc of ssl_set_authmode()

commit: 8a56d3044d123f517d4cebbbadd62f320d39df1e [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Mar 11 10:50:48 2014 +0100
committer: Paul Bakker <p.j.bakker@polarssl.org> Tue Jul 08 11:11:45 2014 +0200
tree: 59d262798801dd63d4960bed9f9dc71e74ad7d4e
parent: 588b66f152a6374ecefca17a1a8947c36ac29664 [diff]
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 1e52229..dd3521d 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h

@@ -620,6 +620,12 @@
  *
  *  SSL_VERIFY_REQUIRED:  peer *must* present a valid certificate,
  *                        handshake is aborted if verification failed.
+ *
+ * \note On client, SSL_VERIFY_REQUIRED is the recommended mode.
+ * With SSL_VERIFY_OPTIONAL, the user needs to call ssl_get_verify_result() at
+ * the right time(s), which may not be obvious, while REQUIRED always perform
+ * the verification as soon as possible. For example, REQUIRED was protecting
+ * against the "triple handshake" attack even before it was found.
  */
 void ssl_set_authmode( ssl_context *ssl, int authmode );
commit	8a56d3044d123f517d4cebbbadd62f320d39df1e	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Tue Mar 11 10:50:48 2014 +0100
committer	Paul Bakker <p.j.bakker@polarssl.org>	Tue Jul 08 11:11:45 2014 +0200
tree	59d262798801dd63d4960bed9f9dc71e74ad7d4e
parent	588b66f152a6374ecefca17a1a8947c36ac29664 [diff]