Allow ECDHE and DHE as forward-compatible aliases for EECDH and EDH (0ec6898c) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

doc/apps/ciphers.pod

+4 −4

Original line number	Diff line number	Diff line
		@@ -177,12 +177,12 @@ cipher suites using RSA key exchange.
		cipher suites using DH key agreement and DH certificates signed by CAs with RSA
		and DSS keys or either respectively.

		=item B<kEDH>
		=item B<kDHE>, B<kEDH>

		cipher suites using ephemeral DH key agreement, including anonymous cipher
		suites.

		=item B<EDH>
		=item B<DHE>, B<EDH>

		cipher suites using authenticated ephemeral DH key agreement.

		@@ -200,12 +200,12 @@ cipher suites using DH, including anonymous DH, ephemeral DH and fixed DH.
		cipher suites using fixed ECDH key agreement signed by CAs with RSA and ECDSA
		keys or either respectively.

		=item B<kEECDH>
		=item B<kECDHE>, B<kEECDH>

		cipher suites using ephemeral ECDH key agreement, including anonymous
		cipher suites.

		=item B<EECDHE>
		=item B<ECDHE>, B<EECDH>

		cipher suites using authenticated ephemeral ECDH key agreement.

+12 −1

Original line number	Diff line number	Diff line
		@@ -109,6 +109,16 @@ If SSL_CIPHER_description() cannot handle a built-in cipher, the according
		description of the cipher property is B<unknown>. This case should not
		occur.

		The standard terminology for ephemeral Diffie-Hellman schemes is DHE
		(finite field) or ECDHE (elliptic curve). This version of OpenSSL
		idiosyncratically reports these schemes as EDH and EECDH, even though
		it also accepts the standard terminology.

		It is recommended to use the standard terminology (DHE and ECDHE)
		during configuration (e.g. via SSL_CTX_set_cipher_list) for clarity of
		configuration. OpenSSL versions after 1.0.2 will report the standard
		terms via SSL_CIPHER_get_name and SSL_CIPHER_description.

		=head1 RETURN VALUES

		See DESCRIPTION
		@@ -116,6 +126,7 @@ See DESCRIPTION
		=head1 SEE ALSO

		L<ssl(3)\|ssl(3)>, L<SSL_get_current_cipher(3)\|SSL_get_current_cipher(3)>,
		L<SSL_get_ciphers(3)\|SSL_get_ciphers(3)>, L<ciphers(1)\|ciphers(1)>
		L<SSL_get_ciphers(3)\|SSL_get_ciphers(3)>, L<ciphers(1)\|ciphers(1)>,
		L<SSL_CTX_set_cipher_list(3)\|SSL_CTX_set_cipher_list(3)>

		=cut

+1 −1

Original line number	Diff line number	Diff line
		@@ -41,7 +41,7 @@ RSA export ciphers with a keylength of 512 bits for the RSA key require
		a temporary 512 bit RSA key, as typically the supplied key has a length
		of 1024 bit (see
		L<SSL_CTX_set_tmp_rsa_callback(3)\|SSL_CTX_set_tmp_rsa_callback(3)>).
		RSA ciphers using EDH need a certificate and key and additional DH-parameters
		RSA ciphers using DHE need a certificate and key and additional DH-parameters
		(see L<SSL_CTX_set_tmp_dh_callback(3)\|SSL_CTX_set_tmp_dh_callback(3)>).

		A DSA cipher can only be chosen, when a DSA certificate is available.

+1 −1

Original line number	Diff line number	Diff line
		@@ -165,7 +165,7 @@ can only be used for signature operations (namely under export ciphers
		with restricted RSA keylength). By setting this option, ephemeral
		RSA keys are always used. This option breaks compatibility with the
		SSL/TLS specifications and may lead to interoperability problems with
		clients and should therefore never be used. Ciphers with EDH (ephemeral
		clients and should therefore never be used. Ciphers with DHE (ephemeral
		Diffie-Hellman) key exchange should be used instead.

		=item SSL_OP_CIPHER_SERVER_PREFERENCE

+1 −1

Original line number	Diff line number	Diff line
		@@ -70,7 +70,7 @@ the TLS standard, when the RSA key can be used for signing only, that is
		for export ciphers. Using ephemeral RSA key exchange for other purposes
		violates the standard and can break interoperability with clients.
		It is therefore strongly recommended to not use ephemeral RSA key
		exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead
		exchange and use DHE (Ephemeral Diffie-Hellman) key exchange instead
		in order to achieve forward secrecy (see
		L<SSL_CTX_set_tmp_dh_callback(3)\|SSL_CTX_set_tmp_dh_callback(3)>).