From 06a6ed0170cc4e655e5655588e7c8e82c7fe28c5 Mon Sep 17 00:00:00 2001
From: Piotr Sikora <piotrsikora@google.com>
Date: Tue, 4 Jul 2017 06:10:37 -0700
Subject: [PATCH] Clarify use of |SSL_VERIFY_FAIL_IF_NO_PEER_CERT| flag.

Change-Id: I819a5b565e4380f3d816a2e4a68572935c612eae
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/17564
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
---
 include/openssl/ssl.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index b5f1c574..3b91e000 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2167,8 +2167,8 @@ OPENSSL_EXPORT const char *SSL_get_curve_name(uint16_t curve_id);
 #define SSL_VERIFY_PEER 0x01
 
 /* SSL_VERIFY_FAIL_IF_NO_PEER_CERT configures a server to reject connections if
- * the client declines to send a certificate. Otherwise |SSL_VERIFY_PEER| still
- * allows anonymous clients. */
+ * the client declines to send a certificate. This flag must be used together
+ * with |SSL_VERIFY_PEER|, otherwise it won't work. */
 #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
 
 /* SSL_VERIFY_PEER_IF_NO_OBC configures a server to request a client certificate