diff options
Diffstat (limited to 'secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3')
-rw-r--r-- | secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 | 33 |
1 files changed, 7 insertions, 26 deletions
diff --git a/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 index fc014875478e..c04a9e0bb97f 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) +.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.30) .\" .\" Standard preamble: .\" ======================================================================== @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_tmp_dh_callback 3" -.TH SSL_CTX_set_tmp_dh_callback 3 "2015-12-03" "1.0.2e" "OpenSSL" +.TH SSL_CTX_set_tmp_dh_callback 3 "2016-01-28" "1.0.2f" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -184,25 +184,8 @@ even if he gets hold of the normal (certified) key, as this key was only used for signing. .PP In order to perform a \s-1DH\s0 key exchange the server must use a \s-1DH\s0 group -(\s-1DH\s0 parameters) and generate a \s-1DH\s0 key. -The server will always generate a new \s-1DH\s0 key during the negotiation -if either the \s-1DH\s0 parameters are supplied via callback or the -\&\s-1SSL_OP_SINGLE_DH_USE\s0 option of \fISSL_CTX_set_options\fR\|(3) is set (or both). -It will immediately create a \s-1DH\s0 key if \s-1DH\s0 parameters are supplied via -\&\fISSL_CTX_set_tmp_dh()\fR and \s-1SSL_OP_SINGLE_DH_USE\s0 is not set. -In this case, -it may happen that a key is generated on initialization without later -being needed, while on the other hand the computer time during the -negotiation is being saved. -.PP -If \*(L"strong\*(R" primes were used to generate the \s-1DH\s0 parameters, it is not strictly -necessary to generate a new key for each handshake but it does improve forward -secrecy. If it is not assured that \*(L"strong\*(R" primes were used, -\&\s-1SSL_OP_SINGLE_DH_USE\s0 must be used in order to prevent small subgroup -attacks. Always using \s-1SSL_OP_SINGLE_DH_USE\s0 has an impact on the -computer time needed during negotiation, but it is not very large, so -application authors/users should consider always enabling this option. -The option is required to implement perfect forward secrecy (\s-1PFS\s0). +(\s-1DH\s0 parameters) and generate a \s-1DH\s0 key. The server will always generate +a new \s-1DH\s0 key during the negotiation. .PP As generating \s-1DH\s0 parameters is extremely time consuming, an application should not generate the parameters on the fly but supply the parameters. @@ -229,10 +212,9 @@ can supply the \s-1DH\s0 parameters via a callback function. Previous versions of the callback used \fBis_export\fR and \fBkeylength\fR parameters to control parameter generation for export and non-export cipher suites. Modern servers that do not support export ciphersuites -are advised to either use \fISSL_CTX_set_tmp_dh()\fR in combination with -\&\s-1SSL_OP_SINGLE_DH_USE,\s0 or alternatively, use the callback but ignore -\&\fBkeylength\fR and \fBis_export\fR and simply supply at least 2048\-bit -parameters in the callback. +are advised to either use \fISSL_CTX_set_tmp_dh()\fR or alternatively, use +the callback but ignore \fBkeylength\fR and \fBis_export\fR and simply +supply at least 2048\-bit parameters in the callback. .SH "EXAMPLES" .IX Header "EXAMPLES" Setup \s-1DH\s0 parameters with a key length of 2048 bits. (Error handling @@ -264,7 +246,6 @@ partly left out.) \& if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) { \& /* Error. */ \& } -\& SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); \& ... .Ve .SH "RETURN VALUES" |