From: David Gatwood Date: Tue, 26 Aug 2014 17:02:03 +0000 (-0400) Subject: RT1744: SSL_CTX_set_dump_dh() doc feedback X-Git-Tag: master-post-reformat~458^2 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=a4d266b82438ee9792d68dbe694170502e5e38da RT1744: SSL_CTX_set_dump_dh() doc feedback The description of when the server creates a DH key is confusing. This cleans it up. (rsalz: also removed trailing whitespace.) Reviewed-by: Viktor Dukhovni --- diff --git a/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod b/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod index b34c68aba3..7a27eef50b 100644 --- a/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod +++ b/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod @@ -48,12 +48,13 @@ even if he gets hold of the normal (certified) key, as this key was only used for signing. In order to perform a DH key exchange the server must use a DH group -(DH parameters) and generate a DH key. The server will always generate a new -DH key during the negotiation, when the DH parameters are supplied via -callback and/or when the SSL_OP_SINGLE_DH_USE option of -L is set. It will -immediately create a DH key, when DH parameters are supplied via -SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. In this case, +(DH parameters) and generate a DH key. +The server will always generate a new DH key during the negotiation +if either the DH parameters are supplied via callback or the +SSL_OP_SINGLE_DH_USE option of SSL_CTX_set_options(3) is set (or both). +It will immediately create a DH key if DH parameters are supplied via +SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. +In this case, it may happen that a key is generated on initialization without later being needed, while on the other hand the computer time during the negotiation is being saved. @@ -139,7 +140,7 @@ partly left out.) dh_tmp = dh_512; break; case 1024: - if (!dh_1024) + if (!dh_1024) dh_1024 = get_dh1024(); dh_tmp = dh_1024; break;