root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

dh: document what the PEM files in apps actually contain. 

They were claimed to be the SKIP primes but they are really two of the
MODP Diffie-Hellman groups for IKE.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11314)
This commit is contained in:
Pauli 2020-03-12 13:51:57 +10:00
parent ca7f7b9518
commit bee68c475d
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
doc/man3/SSL_CTX_set_tmp_dh_callback.pod
View File

@ -63,12 +63,11 @@ openssl L<openssl-dhparam(1)> application. This application
guarantees that "strong" primes are used.
Files dh2048.pem, and dh4096.pem in the 'apps' directory of the current
version of the OpenSSL distribution contain the 'SKIP' DH parameters,
which use safe primes and were generated verifiably pseudo-randomly.
These files can be converted into C code using the B<-C> option of the
L<openssl-dhparam(1)> application. Generation of custom DH
parameters during installation should still be preferred to stop an
attacker from specializing on a commonly used group. File dh1024.pem
version of the OpenSSL distribution contain two of the MODP Diffie-Hellman
groups for IKE as per RFC 3526. These files can be converted into C code
using the B<-C> option of the L<openssl-dhparam(1)> application. Generation
of custom DH parameters during installation should still be preferred to
stop an attacker from specializing on a commonly used group. File dh1024.pem
contains old parameters that must not be used by applications.
An application may either directly specify the DH parameters or