RT1744: SSL_CTX_set_dump_dh() doc feedback

The description of when the server creates a DH key is confusing. This cleans it up. (rsalz: also removed trailing whitespace.) Reviewed-by: N Viktor Dukhovni <viktor@openssl.org>

RT1744: SSL_CTX_set_dump_dh() doc feedback
The description of when the server creates a DH key is confusing. This cleans it up. (rsalz: also removed trailing whitespace.) Reviewed-by: N Viktor Dukhovni <viktor@openssl.org>
fa60b909 · David Gatwood · Rich Salz · fd4592be · fa60b909
隐藏空白更改
内联并排

Showing with 9 addition and 7 deletion

doc/ssl/SSL_CTX_set_tmp_dh_callback.pod doc/ssl/SSL_CTX_set_tmp_dh_callback.pod +9 -7

未找到文件。
--- a/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
+++ b/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
@@ -48,12 +48,13 @@ even if he gets hold of the normal (certified) key, as this key was
 only used for signing.

 In order to perform a DH key exchange the server must use a DH group
-(DH parameters) and generate a DH key. The server will always generate a new
-DH key during the negotiation, when the DH parameters are supplied via
-callback and/or when the SSL_OP_SINGLE_DH_USE option of
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)> is set. It will
-immediately create a DH key, when DH parameters are supplied via
-SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. In this case,
+(DH parameters) and generate a DH key.
+The server will always generate a new DH key during the negotiation
+if either the DH parameters are supplied via callback or the
+SSL_OP_SINGLE_DH_USE option of SSL_CTX_set_options(3) is set (or both).
+It will  immediately create a DH key if DH parameters are supplied via
+SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set.
+In this case,
 it may happen that a key is generated on initialization without later
 being needed, while on the other hand the computer time during the
 negotiation is being saved.
@@ -66,6 +67,7 @@ in order to prevent small subgroup attacks. Always using SSL_OP_SINGLE_DH_USE
 has an impact on the computer time needed during negotiation, but it is not
 very large, so application authors/users should consider to always enable
 this option.
+The option is required to implement perfect forward secrecy (PFS).

 As generating DH parameters is extremely time consuming, an application
 should not generate the parameters on the fly but supply the parameters.
@@ -139,7 +141,7 @@ partly left out.)
      dh_tmp = dh_512;
      break;
    case 1024:
-      if (!dh_1024) 
+      if (!dh_1024)
        dh_1024 = get_dh1024();
      dh_tmp = dh_1024;
      break;