Update *_set_cert_cb documentation regarding resumption
Since 34202b93b6195e9c55402a6bc2653956d0cd26d8 cert_cb is always called
before resumption is checked.
Change-Id: I27ca5653144027a1f545a90ecb6b68e64783a66a
Reviewed-on: https://boringssl-review.googlesource.com/c/35004
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 70ad930..b28dcf6 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -881,8 +881,9 @@
// |SSL_get_client_CA_list| for information on the server's certificate
// request.
//
-// On the server, the callback will be called on non-resumption handshakes,
-// after extensions have been processed.
+// On the server, the callback will be called after extensions have been
+// processed, but before the resumption decision has been made. This differs
+// from OpenSSL which handles resumption before selecting the certificate.
OPENSSL_EXPORT void SSL_CTX_set_cert_cb(SSL_CTX *ctx,
int (*cb)(SSL *ssl, void *arg),
void *arg);
@@ -895,6 +896,10 @@
// On the client, the callback may call |SSL_get0_certificate_types| and
// |SSL_get_client_CA_list| for information on the server's certificate
// request.
+//
+// On the server, the callback will be called after extensions have been
+// processed, but before the resumption decision has been made. This differs
+// from OpenSSL which handles resumption before selecting the certificate.
OPENSSL_EXPORT void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg),
void *arg);
