From: Neil Horman <nhorman@openssl.org>
Date: Fri, 17 Jan 2025 18:36:26 +0000 (-0500)
Subject: Update man page to note limitations of callbacks for QUIC
X-Git-Tag: openssl-3.5.0-alpha1~260
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ddfd561f3c702cc12bbc9259807c344ae51e2efa;p=thirdparty%2Fopenssl.git

Update man page to note limitations of callbacks for QUIC

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26361)
---

diff --git a/doc/man3/SSL_CTX_set_new_pending_conn_cb.pod b/doc/man3/SSL_CTX_set_new_pending_conn_cb.pod
index a50b3029843..2c9cd3db9f0 100644
--- a/doc/man3/SSL_CTX_set_new_pending_conn_cb.pod
+++ b/doc/man3/SSL_CTX_set_new_pending_conn_cb.pod
@@ -34,6 +34,25 @@ on a subsequent call to SSL_accept_connection().  A nonzero return
 value is treated as success, allowing the new connection to be enqueued to the
 accept queue.
 
+=head1 NOTES
+
+Callbacks in QUIC connections have some limitations to them that should be taken
+into consideration when writing an application.
+
+=over 4
+
+QUIC connections may begin processing prior to when an application calls
+SSL_accept_connection() on them.  As such, it may occur that callbacks are
+delivered to appliations' registered TLS callbacks prior to those SSL objects
+being returned in SSL_accept_connection().  Applications should expect this
+possibilty
+
+In Particular no references should be held on SSL objects passed to callbacks
+for QUIC connections until such time as they are returned through a call to
+SSL_accept_connection.
+
+=back
+
 =head1 HISTORY
 
 SSL_CTX_set_new_pending_conn_cb() was added in OpenSSL 3.5