From 5838a64bff4a4f0e48b65a24ba0ff2ad494fe86c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 9 Sep 2024 10:57:01 +0200 Subject: [PATCH] Improve some comments Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 706f1e86b9..b0646b829a 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -614,6 +614,10 @@ for c in $CONFIGS_ENABLED; do MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_*_ENABLED) PSK_ONLY="NO";; esac done +# At this stage, $PSK_ONLY is empty if we haven't detected a non-PSK +# key exchange, i.e. if we're in a PSK-only build or a build with no +# key exchanges at all. We avoid triggering PSK-only adaptation code in +# the edge case of no key exchangs. : ${PSK_ONLY:=$PSK_PRESENT} unset c @@ -817,8 +821,8 @@ requires_openssl_tls1_3() { fi } -# OpenSSL 3 servers forbid client renegotiation by default. -# Older versions always alow it. +# OpenSSL servers forbid client renegotiation by default since OpenSSL 3.0. +# Older versions always allow it and have no command-line option. OPENSSL_S_SERVER_CLIENT_RENEGOTIATION= case $($OPENSSL s_server -help 2>&1) in *-client_renegotiation*)