From 8a56d3044d123f517d4cebbbadd62f320d39df1e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Tue, 11 Mar 2014 10:50:48 +0100
Subject: [PATCH] Update doc of ssl_set_authmode()

---
 include/polarssl/ssl.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 1e52229fa..dd3521dc5 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -620,6 +620,12 @@ void ssl_set_endpoint( ssl_context *ssl, int endpoint );
  *
  *  SSL_VERIFY_REQUIRED:  peer *must* present a valid certificate,
  *                        handshake is aborted if verification failed.
+ *
+ * \note On client, SSL_VERIFY_REQUIRED is the recommended mode.
+ * With SSL_VERIFY_OPTIONAL, the user needs to call ssl_get_verify_result() at
+ * the right time(s), which may not be obvious, while REQUIRED always perform
+ * the verification as soon as possible. For example, REQUIRED was protecting
+ * against the "triple handshake" attack even before it was found.
  */
 void ssl_set_authmode( ssl_context *ssl, int authmode );