diff options
| author | Bruce Momjian <bruce@momjian.us> | 2014-05-27 21:30:20 -0400 |
|---|---|---|
| committer | Bruce Momjian <bruce@momjian.us> | 2014-05-27 21:30:49 -0400 |
| commit | 49cf2cd815d61e1399fe46f9532347f09c3ed2f9 (patch) | |
| tree | 3b54a0c7437e6181a9e6d620225cbc3a87c308ec /doc/src | |
| parent | b8cc8f94730610c0189aa82dfec4ae6ce9b13e34 (diff) | |
doc: improve ssl_ecdh_curve descriptions
Patch by Marko Kreen
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/config.sgml | 18 | ||||
| -rw-r--r-- | doc/src/sgml/release-9.4.sgml | 11 |
2 files changed, 20 insertions, 9 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index d9e5985a16a..4a666d0d2d9 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1020,13 +1020,23 @@ include 'filename' </term> <listitem> <para> - Specifies the name of the curve to use in ECDH key exchanges. The - default is <literal>prime256p1</>. + Specifies the name of the curve to use in ECDH key exchange. + It needs to be supported by all clients that connect. + It does not need to be same curve as used by server's + Elliptic Curve key. The default is <literal>prime256v1</>. </para> <para> - The list of available curves can be shown with the command - <literal>openssl ecparam -list_curves</literal>. + OpenSSL names for most common curves: + <literal>prime256v1</> (NIST P-256), + <literal>secp384r1</> (NIST P-384), + <literal>secp521r1</> (NIST P-521). + </para> + + <para> + The full list of available curves can be shown with the command + <literal>openssl ecparam -list_curves</literal>. Not all of them + are usable in TLS though. </para> </listitem> </varlistentry> diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml index 24862fef381..ae059f88183 100644 --- a/doc/src/sgml/release-9.4.sgml +++ b/doc/src/sgml/release-9.4.sgml @@ -616,17 +616,18 @@ </para> <para> - Such keys are faster and have improved security over previous - options. The new configuration - parameter <link linkend="guc-ssl-ecdh-curve"><varname>ssl_ecdh_curve</></link> - controls which curve is used. + This allows use of Elliptic Curve keys for server authentication. + Such keys are faster and have improved security over <acronym>RSA</> keys. + The new configuration parameter + <link linkend="guc-ssl-ecdh-curve"><varname>ssl_ecdh_curve</></link> + controls which curve is used for <acronym>ECDH</>. </para> </listitem> <listitem> <para> Improve the default <link - linkend="guc-ssl-ciphers"><varname>ssl_ciphers</></link> ciphers + linkend="guc-ssl-ciphers"><varname>ssl_ciphers</></link> value (Marko Kreen) </para> </listitem> |