Swap to FIPS186-2 DSA generation outside of the FIPS module

Inside the FIPS module we continue to use FIPS186-4. We prefer FIPS186-2 in the default provider for backwards compatibility reasons. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13228)
author: Matt Caswell <matt@openssl.org> 2020-10-23 12:35:00 +0100
committer: Matt Caswell <matt@openssl.org> 2020-11-18 14:54:18 +0000
commit: f1d6670840b08104646713f464a6ef42e2cf1c2a (patch)
tree: 5548329237ea84a4a4f67dfce768b708f2d62056 /doc
parent: c2bd8d27835186b9fc4c7e4e12a3f6d81bac0544 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
index 8b06a49d06..1de332c3b3 100644
--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
@@ -455,9 +455,10 @@ Uses a safe prime generator g (PKCS#3 format).
 
 =back
 
-The default is B<DH_PARAMGEN_TYPE_GENERATOR> in the default provider for the
-"DH" keytype, and B<DH_PARAMGEN_TYPE_FIPS_186_4> in the FIPS provider and for
-the "DHX" keytype in the default provider.
+The default in the default provider is B<DH_PARAMGEN_TYPE_GENERATOR> for the
+"DH" keytype, and B<DH_PARAMGEN_TYPE_FIPS_186_2> for the "DHX" keytype. In the
+FIPS provider the default value is B<DH_PARAMGEN_TYPE_GROUP> for the "DH"
+keytype and <B<DH_PARAMGEN_TYPE_FIPS_186_4> for the "DHX" keytype.
 
 EVP_PKEY_CTX_set_dh_paramgen_gindex() sets the I<gindex> used by the generator G.
 The default value is -1 which uses unverifiable g, otherwise a positive value
author	Matt Caswell <matt@openssl.org>	2020-10-23 12:35:00 +0100
committer	Matt Caswell <matt@openssl.org>	2020-11-18 14:54:18 +0000
commit	f1d6670840b08104646713f464a6ef42e2cf1c2a (patch)
tree	5548329237ea84a4a4f67dfce768b708f2d62056 /doc
parent	c2bd8d27835186b9fc4c7e4e12a3f6d81bac0544 (diff)