*** empty log message ***

3 files changed, 27 insertions, 8 deletions

diff --git a/doc/tex/gnutls.bib b/doc/tex/gnutls.bib
index db2bdf6d7c..4fc1184d81 100644
--- a/doc/tex/gnutls.bib
+++ b/doc/tex/gnutls.bib
@@ -1,3 +1,12 @@
+@Misc{RFC2817,
+  author =       "Rohit Khare and Scott Lawrence",
+  title =        "Upgrading to TLS Within HTTP/1.1",
+  month =        "May",
+  year =         {2000},
+  note =         "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2817.txt",
+  url =          "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2817.txt"
+}
+
 @Misc{RFC2246,
   author =       "Tim Dierks and Christopher Allen",
   title =        "The TLS Protocol Version 1.0",
diff --git a/doc/tex/howto.tex b/doc/tex/howto.tex
index 19997ace22..0c03ef7dd9 100644
--- a/doc/tex/howto.tex
+++ b/doc/tex/howto.tex
@@ -24,7 +24,8 @@ This approach starts the \tls{} Handshake procedure just after the
 client connects on the --so called-- secure port. 
 That way the \tls{} protocol does not know anything
 about the client, and popular methods like the host advertising in 
-HTTP do not work. There is no way for the client to say ``I connected
+HTTP do not work\footnote{see also the Server Name Indication extension on \ref{serverind}, page \pageref{serverind}.}. 
+There is no way for the client to say ``I connected
 to YYY server'' before the Handshake starts, so the server cannot
 possibly know which certificate to use\footnote{There is some effort to solve
 this problem within \tls{}}.
@@ -44,8 +45,13 @@ the application protocol to have a ``STARTTLS'' request, whose purpose
 it to start the TLS protocols just after the client requests it.
 This is a really neat idea and does not require an extra port.
 \par
-The tricky part is that the ``STARTTLS'' request is sent in the clear,
-thus is vulnerable to modifications. A typical attack is to modify the
+This method is used by almost all modern protocols and there is
+even the \cite{RFC2817} paper which proposes extensions to HTTP
+to support it.
+\par
+The tricky part, in this method, is that the ``STARTTLS'' request is sent 
+in the clear, thus is vulnerable to modifications. 
+A typical attack is to modify the
 messages in a way that the client is fooled and thinks that the server
 does not have the ``STARTTLS'' capability. See a typical conversation
 of a hypothetical protocol:
diff --git a/doc/tex/tls_extensions.tex b/doc/tex/tls_extensions.tex
index 23786c1f50..9bf698cbd6 100644
--- a/doc/tex/tls_extensions.tex
+++ b/doc/tex/tls_extensions.tex
@@ -23,15 +23,19 @@ functions.
 
 \subsection*{Server name indication}
 \index{TLS Extensions!Server name indication}
+\label{serverind}
 
 A common problem in HTTPS servers is the fact that the \tls{}
 protocol is not aware of the hostname that a client connects to, when
 the handshake procedure begins. For that reason the \tls{} server
-has no way to know which certificate to send. This extension is hack
-to the \tls{} protocol to allow the client to send the HTTP hostname
-before the handshake begins --within the first handshake packet.
+has no way to know which certificate to send. 
 
-See the functions
+This extension solves that problem within the \tls{} protocol
+and allows a client to send the HTTP hostname
+before the handshake begins --within the first handshake packet.
+The functions 
 \printfunc{gnutls_server_name_set}{gnutls\_server\_name\_set} and
-\printfunc{gnutls_server_name_get}{gnutls\_server\_name\_get}.
+\printfunc{gnutls_server_name_get}{gnutls\_server\_name\_get}
+can be used to enable this extension, or to retrieve the name sent
+by a client.