On Thu, 14 Nov 2024 16:50:51 +0100 Sabrina Dubroca wrote: > +To prevent attempting to decrypt incoming records using the wrong key, > +decryption will be paused when a KeyUpdate message is received by the > +kernel, until the new key has been provided using the TLS_RX socket > +option. Any read occurring after the KeyUpdate has been read and > +before the new key is provided will fail with EKEYEXPIRED. Poll()'ing > +the socket will also sleep until the new key is provided. There is no > +pausing on the transmit side. Thanks for the doc update, very useful. I'm not a socket expert so dunno if suppressing POLLIN is the right thing to do. But a nit on the phrasing - I'd say "poll() will not report any events from the socket until.." ? Could be just me but sleep is a second order effect.