diff options
author | Matt Caswell <matt@openssl.org> | 2017-05-03 16:39:57 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-05-03 16:57:54 +0100 |
commit | 47f7cf051bbb5d67778f6250c3c85341afea86d6 (patch) | |
tree | 17c4b5782fa05bcf634e14591d948b7c873d871c | |
parent | 863fe19b5fb4a2af9f47ed664cb9dcb7d52331d1 (diff) |
Update the documentation for "Groups" and "Curves"
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3375)
-rw-r--r-- | doc/man3/SSL_CONF_cmd.pod | 44 |
1 files changed, 36 insertions, 8 deletions
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index efd766d7db..6731cf724a 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -73,6 +73,26 @@ The B<value> argument is a colon separated list of curves. The curve can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g B<prime256v1>). Curve names are case sensitive. +=item B<-groups> + +This sets the supported groups. For clients, the groups are +sent using the supported groups extension. For servers, it is used +to determine which group to use. This setting affects groups used for both +signatures and key exchange, if applicable. It also affects the preferred +key_share sent by a client in a TLSv1.3 compatible connection. + +The B<value> argument is a colon separated list of groups. The group can be +either the B<NIST> name (e.g. B<P-256>), some other commonly used name where +applicable (e.g. B<X25519>) or an OpenSSL OID name (e.g B<prime256v1>). Group +names are case sensitive. The list should be in order of preference with the +most preferred group first. The first listed group will be the one used for a +key_share by a TLSv1.3 client. + +=item B<-curves> + +This is a synonym for the "-groups" command. + + =item B<-named_curve> This sets the temporary curve used for ephemeral ECDH modes. Only used by @@ -273,16 +293,24 @@ used to determine which signature algorithm to with the client certificate. The syntax of B<value> is identical to B<SignatureAlgorithms>. If not set then the value set for B<SignatureAlgorithms> will be used instead. -=item B<Curves> +=item B<Groups> -This sets the supported elliptic curves. For clients the curves are -sent using the supported curves extension. For servers it is used -to determine which curve to use. This setting affects curves used for both -signatures and key exchange, if applicable. +This sets the supported groups. For clients, the groups are +sent using the supported groups extension. For servers, it is used +to determine which group to use. This setting affects groups used for both +signatures and key exchange, if applicable. It also affects the preferred +key_share sent by a client in a TLSv1.3 compatible connection. -The B<value> argument is a colon separated list of curves. The curve can be -either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g -B<prime256v1>). Curve names are case sensitive. +The B<value> argument is a colon separated list of groups. The group can be +either the B<NIST> name (e.g. B<P-256>), some other commonly used name where +applicable (e.g. B<X25519>) or an OpenSSL OID name (e.g B<prime256v1>). Group +names are case sensitive. The list should be in order of preference with the +most preferred group first. The first listed group will be the one used for a +key_share by a TLSv1.3 client. + +=item B<Curves> + +This is a synonym for the "Groups" command. =item B<MinProtocol> |