Merge branch 'mcatanzaro/tls-docs' into 'master'

Update TLS documentation See merge request GNOME/glib!199
2024-09-20 09:16:15 +02:00 · 2018-08-07 09:46:30 +00:00 · 2018-08-07 09:46:30 +00:00 · a5f824451f
commit a5f824451f
parent e5d9eca334 08fe93589e
2 changed files with 17 additions and 17 deletions
--- a/gio/gtlsclientconnection.c
+++ b/gio/gtlsclientconnection.c
@ -105,14 +105,7 @@ g_tls_client_connection_default_init (GTlsClientConnectionInterface *iface)
   *
   * If %TRUE, forces the connection to use a fallback version of TLS
   * or SSL, rather than trying to negotiate the best version of TLS
-   * to use. This can be used when talking to servers that don't
-   * implement version negotiation correctly and therefore refuse to
-   * handshake at all with a modern TLS handshake.
-   *
-   * Despite the property name, the fallback version is usually not
-   * SSL 3.0, because SSL 3.0 is generally disabled by the #GTlsBackend.
-   * #GTlsClientConnection will use the next-highest available version
-   * as the fallback version.
+   * to use. See g_tls_client_connection_set_use_ssl3().
   *
   * Since: 2.28
   *
@ -304,14 +297,19 @@ g_tls_client_connection_get_use_ssl3 (GTlsClientConnection *conn)
 * @conn: the #GTlsClientConnection
 * @use_ssl3: whether to use the lowest-supported protocol version
 *
- * If @use_ssl3 is %TRUE, this forces @conn to use the lowest-supported
- * TLS protocol version rather than trying to properly negotiate the
- * highest mutually-supported protocol version with the peer. This can
- * be used when talking to broken TLS servers that exhibit protocol
- * version intolerance.
+ * Since 2.42.1, if @use_ssl3 is %TRUE, this forces @conn to use the
+ * lowest-supported TLS protocol version rather than trying to properly
+ * negotiate the highest mutually-supported protocol version with the
+ * peer. Be aware that SSL 3.0 is generally disabled by the
+ * #GTlsBackend, so the lowest-supported protocol version is probably
+ * not SSL 3.0.
 *
- * Be aware that SSL 3.0 is generally disabled by the #GTlsBackend, so
- * the lowest-supported protocol version is probably not SSL 3.0.
+ * Since 2.58, this may additionally cause an RFC 7507 fallback SCSV to
+ * be sent to the server, causing modern TLS servers to immediately
+ * terminate the connection. You should generally only use this function
+ * if you need to connect to broken servers that exhibit TLS protocol
+ * version intolerance, and when an initial attempt to connect to a
+ * server normally has already failed.
 *
 * Since: 2.28
 *
--- a/gio/gtlsconnection.c
+++ b/gio/gtlsconnection.c
@ -674,7 +674,8 @@ g_tls_connection_get_require_close_notify (GTlsConnection *conn)
 * @conn: a #GTlsConnection
 * @mode: the rehandshaking mode
 *
- * Sets how @conn behaves with respect to rehandshaking requests.
+ * Sets how @conn behaves with respect to rehandshaking requests, when
+ * TLS 1.2 or older is in use.
 *
 * %G_TLS_REHANDSHAKE_NEVER means that it will never agree to
 * rehandshake after the initial handshake is complete. (For a client,
@ -756,7 +757,8 @@ g_tls_connection_get_rehandshake_mode (GTlsConnection       *conn)
 * the beginning of the communication, you do not need to call this
 * function explicitly unless you want clearer error reporting.
 * However, you may call g_tls_connection_handshake() later on to
- * renegotiate parameters (encryption methods, etc) with the client.
+ * rehandshake, if TLS 1.2 or older is in use. With TLS 1.3, this will
+ * instead perform a rekey.
 *
 * #GTlsConnection::accept_certificate may be emitted during the
 * handshake.