Commit a4d266b8 authored by David Gatwood's avatar David Gatwood Committed by Rich Salz
Browse files

RT1744: SSL_CTX_set_dump_dh() doc feedback 



The description of when the server creates a DH key is
confusing.  This cleans it up.
(rsalz: also removed trailing whitespace.)

Reviewed-by: default avatarViktor Dukhovni <viktor@openssl.org>
parent fd4592be

doc/ssl/SSL_CTX_set_tmp_dh_callback.pod

+8 −7
Original line number Diff line number Diff line
@@ -48,12 +48,13 @@ even if he gets hold of the normal (certified) key, as this key was 
only used for signing.



In order to perform a DH key exchange the server must use a DH group

(DH parameters) and generate a DH key. The server will always generate a new

DH key during the negotiation, when the DH parameters are supplied via

callback and/or when the SSL_OP_SINGLE_DH_USE option of

L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)> is set. It will

immediately create a DH key, when DH parameters are supplied via

SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. In this case,

(DH parameters) and generate a DH key.

The server will always generate a new DH key during the negotiation

if either the DH parameters are supplied via callback or the

SSL_OP_SINGLE_DH_USE option of SSL_CTX_set_options(3) is set (or both).

It will  immediately create a DH key if DH parameters are supplied via

SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set.

In this case,

it may happen that a key is generated on initialization without later

being needed, while on the other hand the computer time during the

negotiation is being saved.