Document the effect of SSL_OP_CLEANSE_PLAINTEXT on send stream data

Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #21311)
openssl · Jul 2, 2023 · 42926ca · 42926ca
1 parent 292c9df
commit 42926ca
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod
@@ -129,7 +129,7 @@ connection. Only available when using the deprecated DTLSv1_client_method() API.
 
 =item SSL_OP_CLEANSE_PLAINTEXT
 
-By default TLS connections keep a copy of received plaintext
+By default TLS and QUIC SSL objects keep a copy of received plaintext
 application data in a static buffer until it is overwritten by the
 next portion of data. When enabling SSL_OP_CLEANSE_PLAINTEXT
 deciphered application data is cleansed by calling OPENSSL_cleanse(3)
@@ -141,6 +141,14 @@ responsible for cleansing all other buffers. Most notably, this
 applies to buffers passed to functions like L<SSL_read(3)>,
 L<SSL_peek(3)> but also like L<SSL_write(3)>.
 
+TLS connections do not buffer data to be sent in plaintext. QUIC stream
+objects do buffer plaintext data to be sent and this option will also cause
+that data to be cleansed when it is discarded.
+
+This option can be set differently on individual QUIC stream objects and
+has no effect on QUIC connection objects (except where a default stream is
+being used).
+
 =item SSL_OP_COOKIE_EXCHANGE
 
 Turn on Cookie Exchange as described in RFC4347 Section 4.2.1. Only affects