From b8d8af7b297a83d3cdc73a62996e49798d0cedd2 Mon Sep 17 00:00:00 2001
From: Daniel Roethlisberger <daniel@roe.ch>
Date: Sun, 4 Jan 2015 14:21:49 +0100
Subject: [PATCH] Document the limitations of passthrough mode (-P)

---
 sslsplit.1 | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/sslsplit.1 b/sslsplit.1
index 172d857..19b429f 100644
--- a/sslsplit.1
+++ b/sslsplit.1
@@ -219,9 +219,14 @@ Passthrough SSL/TLS connections which cannot be split instead of dropping them.
 Connections cannot be split if \fB-c\fP and \fB-k\fP are not given and the
 site does not match any certificate loaded using \fB-t\fP, or if the connection
 to the original server gives SSL/TLS errors.  Specifically, this happens if the
-site requests a client certificate.  Passthrough with \fB-P\fP results in
-uninterrupted service for the clients, while dropping is the more secure
-alternative if unmonitored connections must be prevented.
+site requests a client certificate.
+In these situations, passthrough with \fB-P\fP results in uninterrupted service
+for the clients, while dropping is the more secure alternative if unmonitored
+connections must be prevented.
+Passthrough mode currently does not apply to SSL/TLS errors in the connection
+from the client, since the connection from the client cannot easily be retried.
+Specifically, \fB-P\fP does not currently work for clients that do not accept
+forged certificates.
 .TP
 .B \-r \fIproto\fP
 Force SSL/TLS protocol version on both client and server side to \fIproto\fP