diff options
author | Pauli <paul.dale@oracle.com> | 2020-03-12 13:51:57 +1000 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2020-03-14 15:05:55 +1000 |
commit | bee68c475dd66b799b768f0bfe7389ad00fd902d (patch) | |
tree | 355d635c6445c566af5f30a3017f0e4d6d4672bd /doc/man3 | |
parent | ca7f7b951825e23dddb798f6a61f50a04225d25a (diff) |
dh: document what the PEM files in apps actually contain.
They were claimed to be the SKIP primes but they are really two of the
MODP Diffie-Hellman groups for IKE.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11314)
Diffstat (limited to 'doc/man3')
-rw-r--r-- | doc/man3/SSL_CTX_set_tmp_dh_callback.pod | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod index 0e9108d063..c8d25f4573 100644 --- a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod +++ b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod @@ -63,12 +63,11 @@ openssl L<openssl-dhparam(1)> application. This application guarantees that "strong" primes are used. Files dh2048.pem, and dh4096.pem in the 'apps' directory of the current -version of the OpenSSL distribution contain the 'SKIP' DH parameters, -which use safe primes and were generated verifiably pseudo-randomly. -These files can be converted into C code using the B<-C> option of the -L<openssl-dhparam(1)> application. Generation of custom DH -parameters during installation should still be preferred to stop an -attacker from specializing on a commonly used group. File dh1024.pem +version of the OpenSSL distribution contain two of the MODP Diffie-Hellman +groups for IKE as per RFC 3526. These files can be converted into C code +using the B<-C> option of the L<openssl-dhparam(1)> application. Generation +of custom DH parameters during installation should still be preferred to +stop an attacker from specializing on a commonly used group. File dh1024.pem contains old parameters that must not be used by applications. An application may either directly specify the DH parameters or |