=head1 SYNOPSIS
-B<openssl dh>
+B<openssl dhparam>
+[B<-help>]
[B<-inform DER|PEM>]
[B<-outform DER|PEM>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
+[B<-dsaparam>]
+[B<-check>]
[B<-noout>]
[B<-text>]
[B<-C>]
[B<-2>]
[B<-5>]
-[B<-rand file(s)>]
-[numbits]
+[B<-rand> I<file(s)>]
+[B<-engine id>]
+[I<numbits>]
=head1 DESCRIPTION
=over 4
+=item B<-help>
+
+Print out a usage message.
+
=item B<-inform DER|PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
=item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read parameters from or standard input if
this option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should B<not> be the same
as the input filename.
+=item B<-dsaparam>
+
+If this option is used, DSA rather than DH parameters are read or created;
+they are converted to DH format. Otherwise, "strong" primes (such
+that (p-1)/2 is also prime) will be used for DH parameter generation.
+
+DH parameter generation with the B<-dsaparam> option is much faster,
+and the recommended exponent length is shorter, which makes DH key
+exchange more efficient. Beware that with such DSA-style DH
+parameters, a fresh DH key should be created for each use to
+avoid small-subgroup attacks that may be possible otherwise.
+
+=item B<-check>
+
+Performs numerous checks to see if the supplied parameters are valid and
+displays a warning if not.
+
=item B<-2>, B<-5>
-The generator to use, either 2 or 5. 2 is the default. If present then the
-input file is ignored and parameters are generated instead.
+The generator to use, either 2 or 5. If present then the
+input file is ignored and parameters are generated instead. If not
+present but B<numbits> is present, parameters are generated with the
+default generator 2.
-=item B<-rand file(s)>
+=item B<-rand> I<file(s)>
a file or files containing random data used to seed the random number
-generator. Multiple files can be specified separated by a OS-dependent
-character. For MS-Windows, the separator is B<;>. For OpenVMS, it's
-B<,>. For all others, it's B<:>.
+generator, or an EGD socket (see L<RAND_egd(3)>).
+Multiple files can be specified separated by an OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
-=item B<numbits>
+=item I<numbits>
this option specifies that a parameter set should be generated of size
-B<numbits>. It must be the last option. If not present then a value of 512
-is used. If this option is present then the input file is ignored and
-parameters are generated instead.
+I<numbits>. It must be the last option. If this option is present then
+the input file is ignored and parameters are generated instead. If
+this option is not present but a generator (B<-2> or B<-5>) is
+present, parameters are generated with a default length of 2048 bits.
=item B<-noout>
=item B<-C>
this option converts the parameters into C code. The parameters can then
-be loaded by calling the B<get_dhXXX()> function.
+be loaded by calling the get_dhNNNN() function.
+
+=item B<-engine id>
+
+specifying an engine (by its unique B<id> string) will cause B<dhparam>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
=back
=head1 WARNINGS
The program B<dhparam> combines the functionality of the programs B<dh> and
-B<gendh> in previous versions of OpenSSL and SSLeay. The B<dh> and B<gendh>
-programs are retained for now but may have different purposes in future
+B<gendh> in previous versions of OpenSSL. The B<dh> and B<gendh>
+programs are retained for now but may have different purposes in future
versions of OpenSSL.
=head1 NOTES
=head1 SEE ALSO
-L<dsaparam(1)|dsaparam(1)>
+L<dsaparam(1)>
+
+=head1 COPYRIGHT
+
+Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
=cut