Minor source documentation updates.

[tlsproxy/tlsproxy.git] / src / verify.c

diff --git a/src/verify.c b/src/verify.c
index 855c5d21c4bcf470fb9d036523a984e7c4a3a6aa..d526c1867c788f5041ac3648f37bd114a5c0f9dc 100644 (file)
--- a/src/verify.c
+++ b/src/verify.c
@@ -187,9 +187,14 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
         return -2;
     }
 
-    /* Check that the proxy certificate file exists and is readable for this
-     * domain. This ensures we send an "invalid" certificate even if the proxy
-     * certificate doesn't exist. */
+    /* Check that the proxy certificate file for this domain exists and is
+     * readable. This ensures we send an "invalid" certificate if the proxy
+     * certificate doesn't exist.
+     *
+     * If the file gets removed or becomes unreadable after the check we won't
+     * be able to establish a connection to the real server so this
+     * race-condition has no security issues and is only a convenience for the
+     * user. */
     if (proxy_certificate_path(hostname, path, sizeof(path)) != 0) {
         return -1;
     }