X-Git-Url: https://ruderich.org/simon/gitweb/?p=tlsproxy%2Ftlsproxy.git;a=blobdiff_plain;f=src%2Fverify.c;h=d526c1867c788f5041ac3648f37bd114a5c0f9dc;hp=855c5d21c4bcf470fb9d036523a984e7c4a3a6aa;hb=e4f2d047eeb0750c7126bd6e3300cd4eab996437;hpb=6dc3fa355759e49319ce0d6aad75e488c4a16247

diff --git a/src/verify.c b/src/verify.c
index 855c5d2..d526c18 100644
--- a/src/verify.c
+++ b/src/verify.c
@@ -187,9 +187,14 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
         return -2;
     }
 
-    /* Check that the proxy certificate file exists and is readable for this
-     * domain. This ensures we send an "invalid" certificate even if the proxy
-     * certificate doesn't exist. */
+    /* Check that the proxy certificate file for this domain exists and is
+     * readable. This ensures we send an "invalid" certificate if the proxy
+     * certificate doesn't exist.
+     *
+     * If the file gets removed or becomes unreadable after the check we won't
+     * be able to establish a connection to the real server so this
+     * race-condition has no security issues and is only a convenience for the
+     * user. */
     if (proxy_certificate_path(hostname, path, sizeof(path)) != 0) {
         return -1;
     }