From: Pauli <paul.dale@oracle.com>
Date: Thu, 12 Mar 2020 03:51:57 +0000 (+1000)
Subject: dh: document what the PEM files in apps actually contain.
X-Git-Tag: openssl-3.0.0-alpha1~264
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=bee68c475dd66b799b768f0bfe7389ad00fd902d;p=oweals%2Fopenssl.git

dh: document what the PEM files in apps actually contain.

They were claimed to be the SKIP primes but they are really two of the
MODP Diffie-Hellman groups for IKE.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11314)
---

diff --git a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
index 0e9108d063..c8d25f4573 100644
--- a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
+++ b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
@@ -63,12 +63,11 @@ openssl L<openssl-dhparam(1)> application. This application
 guarantees that "strong" primes are used.
 
 Files dh2048.pem, and dh4096.pem in the 'apps' directory of the current
-version of the OpenSSL distribution contain the 'SKIP' DH parameters,
-which use safe primes and were generated verifiably pseudo-randomly.
-These files can be converted into C code using the B<-C> option of the
-L<openssl-dhparam(1)> application. Generation of custom DH
-parameters during installation should still be preferred to stop an
-attacker from specializing on a commonly used group. File dh1024.pem
+version of the OpenSSL distribution contain two of the MODP Diffie-Hellman
+groups for IKE as per RFC 3526.  These files can be converted into C code
+using the B<-C> option of the L<openssl-dhparam(1)> application. Generation
+of custom DH parameters during installation should still be preferred to
+stop an attacker from specializing on a commonly used group. File dh1024.pem
 contains old parameters that must not be used by applications.
 
 An application may either directly specify the DH parameters or