summaryrefslogtreecommitdiffstats
path: root/src/PORTING.md
diff options
context:
space:
mode:
Diffstat (limited to 'src/PORTING.md')
-rw-r--r--src/PORTING.md25
1 files changed, 16 insertions, 9 deletions
diff --git a/src/PORTING.md b/src/PORTING.md
index 70b67cc..b3e50d7 100644
--- a/src/PORTING.md
+++ b/src/PORTING.md
@@ -103,11 +103,12 @@ OpenSSL enables TLS renegotiation by default and accepts renegotiation requests
from the peer transparently. Renegotiation is an extremely problematic protocol
feature, so BoringSSL rejects peer renegotiations by default.
-To enable renegotiation, call `SSL_set_reject_peer_renegotiations` and set it to
-off. Renegotiation is only supported as a client in SSL3/TLS and the
-HelloRequest must be received at a quiet point in the application protocol. This
-is sufficient to support the common use of requesting a new client certificate
-between an HTTP request and response in (unpipelined) HTTP/1.1.
+To enable renegotiation, call `SSL_set_renegotiate_mode` and set it to
+`ssl_renegotiate_once` or `ssl_renegotiate_freely`. Renegotiation is only
+supported as a client in SSL3/TLS and the HelloRequest must be received at a
+quiet point in the application protocol. This is sufficient to support the
+common use of requesting a new client certificate between an HTTP request and
+response in (unpipelined) HTTP/1.1.
Things which do not work:
@@ -123,6 +124,12 @@ Things which do not work:
* If a HelloRequest is received while `SSL_write` has unsent application data,
the renegotiation is rejected.
+### Lowercase hexadecimal
+
+BoringSSL's `BN_bn2hex` function uses lowercase hexadecimal digits instead of
+uppercase. Some code may require changes to avoid being sensitive to this
+difference.
+
## Optional BoringSSL-specific simplifications
@@ -143,10 +150,10 @@ OpenSSL has a number of different initialization functions for setting up error
strings and loading algorithms, etc. All of these functions still exist in
BoringSSL for convenience, but they do nothing and are not necessary.
-The one exception is `CRYPTO_library_init` (and `SSL_library_init` which merely
-calls it). In `BORINGSSL_NO_STATIC_INITIALIZER` builds, it must be called to
-query CPU capabitilies before the rest of the library. In the default
-configuration, this is done with a static initializer and is also unnecessary.
+The one exception is `CRYPTO_library_init`. In `BORINGSSL_NO_STATIC_INITIALIZER`
+builds, it must be called to query CPU capabitilies before the rest of the
+library. In the default configuration, this is done with a static initializer
+and is also unnecessary.
### Threading
generated by cgit v1.1 at 2024-05-18 12:35:13 +0000