Commit 63926362 authored by Howard Chu's avatar Howard Chu
Browse files

ITS#7506 more doc updates

parent 056bd0ac
......@@ -920,12 +920,15 @@ browser. Press 'Enter' for the new password.
.B olcTLSDHParamFile: <filename>
This directive specifies the file that contains parameters for Diffie-Hellman
ephemeral key exchange. This is required in order to use a DSA certificate on
the server. If multiple sets of parameters are present in the file, all of
them will be processed. Note that setting this option may also enable
the server, or an RSA certificate missing the "key encipherment" key usage.
Note that setting this option may also enable
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
You should append "!ADH" to your cipher suites if you have changed them
from the default, otherwise no certificate exchanges or verification will
be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly
Anonymous key exchanges should generally be avoided since they provide no
actual client or server authentication and provide no protection against
man-in-the-middle attacks.
You should append "!ADH" to your cipher suites to ensure that these suites
are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
.B olcTLSProtocolMin: <major>[.<minor>]
......
......@@ -1151,13 +1151,16 @@ browser. Press 'Enter' for the new password.
.B TLSDHParamFile <filename>
This directive specifies the file that contains parameters for Diffie-Hellman
ephemeral key exchange. This is required in order to use a DSA certificate on
the server. If multiple sets of parameters are present in the file, all of
them will be processed. Note that setting this option may also enable
the server, or an RSA certificate missing the "key encipherment" key usage.
Note that setting this option may also enable
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
You should append "!ADH" to your cipher suites if you have changed them
from the default, otherwise no certificate exchanges or verification will
be done. When using GnuTLS these parameters are always generated randomly so
this directive is ignored. This directive is ignored when using Mozilla NSS.
Anonymous key exchanges should generally be avoided since they provide no
actual client or server authentication and provide no protection against
man-in-the-middle attacks.
You should append "!ADH" to your cipher suites to ensure that these suites
are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
.B TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment