From: Matt Caswell <matt@openssl.org>
Date: Mon, 2 Jun 2025 14:39:45 +0000 (+0100)
Subject: Update documentation regarding no_renegotiation handling
X-Git-Tag: openssl-3.4.2~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b829cc50411165f346b9d50a143cbdc54d895c7f;p=thirdparty%2Fopenssl.git

Update documentation regarding no_renegotiation handling

Clarify what happens in the event that a no_renegotiation alert is
received.

Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27591)

(cherry picked from commit 0db6a59ea7931024d673024c2d17ff1ec44a4e69)
---

diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index e4beed72854..bbddfe6a796 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -74,7 +74,7 @@ B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
 
 =item B<-no_renegotiation>
 
-Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting
+Disables all attempts at renegotiation in (D)TLSv1.2 and earlier, same as setting
 B<SSL_OP_NO_RENEGOTIATION>.
 
 =item B<-no_resumption_on_reneg>
diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod
index 28b5d680f51..3e7a95dc179 100644
--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod
@@ -285,7 +285,7 @@ Do not query the MTU. Only affects DTLS connections.
 
 =item SSL_OP_NO_RENEGOTIATION
 
-Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest
+Disable all renegotiation in (D)TLSv1.2 and earlier. Do not send HelloRequest
 messages, and ignore renegotiation requests via ClientHello.
 
 =item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
diff --git a/doc/man3/SSL_key_update.pod b/doc/man3/SSL_key_update.pod
index 6238e67649e..b7af229851c 100644
--- a/doc/man3/SSL_key_update.pod
+++ b/doc/man3/SSL_key_update.pod
@@ -53,7 +53,9 @@ such as SSL_read_ex() or SSL_write_ex() takes place on the connection a check
 will be performed to confirm that it is a suitable time to start a
 renegotiation. If so, then it will be initiated immediately. OpenSSL will not
 attempt to resume any session associated with the connection in the new
-handshake.
+handshake. Note that some servers will respond to reneogitation attempts with
+a "no_renegotiation" alert. An OpenSSL will immediately fail the connection in
+this case.
 
 When called from the client side, SSL_renegotiate_abbreviated() works in the
 same was as SSL_renegotiate() except that OpenSSL will attempt to resume the