X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=src%2Fngircd%2Fconn.c;h=fab483e1ab2a288a230a39bce68db553df32d418;hb=3db3b47fc7172a69b7d99d66eddb07a323dc6e74;hp=3882899f4406b85829d0f5e0ce04f0008aff093a;hpb=679505aab9fea21b27a3d4bbf99cf2a16cf3d3d5;p=ngircd-alex.git

diff --git a/src/ngircd/conn.c b/src/ngircd/conn.c
index 3882899f..fab483e1 100644
--- a/src/ngircd/conn.c
+++ b/src/ngircd/conn.c
@@ -2556,6 +2556,13 @@ cb_listen_ssl(int sock, short irrelevant)
 /**
  * IO callback for new outgoing SSL-enabled server connections.
  *
+ * IMPORTANT: The SSL session has been validated before, but all errors have
+ * been ignored so far! The reason for this is that the generic SSL code has no
+ * idea if the new session actually belongs to a server, as this only becomes
+ * clear when the remote peer sends its PASS command (and we have to handle
+ * invalid client certificates!). Therefore, it is important to check the
+ * status of the SSL session first before continuing the server handshake here!
+ *
  * @param sock		Socket descriptor.
  * @param unused	(ignored IO specification)
  */