X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fverify.c;h=0208af21b526a0bb028d71793fd7b3c0c68fc295;hb=7eba49d24d56288d83746f3f0ce383d7c0c36552;hp=855c5d21c4bcf470fb9d036523a984e7c4a3a6aa;hpb=a8a45901f08376d0f4b8a6fe72d2cc90e2fc991e;p=tlsproxy%2Ftlsproxy.git

diff --git a/src/verify.c b/src/verify.c
index 855c5d2..0208af2 100644
--- a/src/verify.c
+++ b/src/verify.c
@@ -1,7 +1,7 @@
 /*
  * Verify established TLS connections.
  *
- * Copyright (C) 2011-2013  Simon Ruderich
+ * Copyright (C) 2011-2014  Simon Ruderich
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -187,9 +187,14 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
         return -2;
     }
 
-    /* Check that the proxy certificate file exists and is readable for this
-     * domain. This ensures we send an "invalid" certificate even if the proxy
-     * certificate doesn't exist. */
+    /* Check that the proxy certificate file for this domain exists and is
+     * readable. This ensures we send an "invalid" certificate if the proxy
+     * certificate doesn't exist.
+     *
+     * If the file gets removed or becomes unreadable after the check we won't
+     * be able to establish a connection to the real server so this
+     * race-condition has no security issues and is only a convenience for the
+     * user. */
     if (proxy_certificate_path(hostname, path, sizeof(path)) != 0) {
         return -1;
     }