From 398b206ff0b9c16853dbb3264e1ccfa4fd317d91 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Thu, 28 May 2015 15:13:30 +0200
Subject: [PATCH] Update doc for ssl_conf_renegotiation

---
 include/mbedtls/ssl.h | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 3997b4d23..e77b4120f 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1778,9 +1778,13 @@ void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets
  *                 initiated by peer
  *                 (Default: MBEDTLS_SSL_RENEGOTIATION_DISABLED)
  *
- *                 Note: A server with support enabled is more vulnerable for a
- *                 resource DoS by a malicious client. You should enable this on
- *                 a client to enable server-initiated renegotiation.
+ * \warning        It is recommended to always disable renegotation unless you
+ *                 know you need it and you know what you're doing. In the
+ *                 past, there has been several issues associated with
+ *                 renegotiation or a poor understanding of its properties.
+ *
+ * \note           Server-side, enabling renegotiation also makes the server
+ *                 susceptible to a resource DoS by a malicious client.
  *
  * \param conf    SSL configuration
  * \param renegotiation     Enable or disable (MBEDTLS_SSL_RENEGOTIATION_ENABLED or