X-Git-Url: https://ruderich.org/simon/gitweb/?p=tlsproxy%2Ftlsproxy.git;a=blobdiff_plain;f=README;fp=README;h=ebcb53fb201f0c111e20a2dc249d272e441f1f76;hp=31a4a569b95d1f26ca8d233f972a7c4895fc5f92;hb=d3ee0e4a91df6a73d93db8f1b0e70d2c528fc7b8;hpb=1071e9bc4a3a5d43daad163be5bc4388abf3a84f

diff --git a/README b/README
index 31a4a56..ebcb53f 100644
--- a/README
+++ b/README
@@ -48,8 +48,11 @@ certificate to secure the connection to the client (signed by `proxy-ca.pem`).
 
 If an error occurs in the validation (missing `certificate-*.pem` files,
 fingerprint changed, etc.) it's logged by the proxy (stdout) and the special
-`proxy-invalid.pem` certificate is used. It's easy to spot in the browser
-because it uses an invalid hostname ("invalid") and is self-signed.
+`proxy-invalid.pem` certificate is used to send a 500 error message to the
+client. The connection to the server is closed so there's no chance that any
+client data is sent to the (possible) evil server. The invalide certificate is
+also easy to spot in the browser because it uses an invalid hostname
+("invalid") and is self-signed.
 
 If an internal error occurs before the TLS connection can be established a 503
 Forwarding failure is sent to the client (unencrypted).