From 47f7cf051bbb5d67778f6250c3c85341afea86d6 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 3 May 2017 16:39:57 +0100 Subject: [PATCH] Update the documentation for "Groups" and "Curves" Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/3375) --- doc/man3/SSL_CONF_cmd.pod | 44 ++++++++++++++++++++++++++++++++------- 1 file changed, 36 insertions(+), 8 deletions(-) diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index efd766d7db..6731cf724a 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -73,6 +73,26 @@ The B argument is a colon separated list of curves. The curve can be either the B name (e.g. B) or an OpenSSL OID name (e.g B). Curve names are case sensitive. +=item B<-groups> + +This sets the supported groups. For clients, the groups are +sent using the supported groups extension. For servers, it is used +to determine which group to use. This setting affects groups used for both +signatures and key exchange, if applicable. It also affects the preferred +key_share sent by a client in a TLSv1.3 compatible connection. + +The B argument is a colon separated list of groups. The group can be +either the B name (e.g. B), some other commonly used name where +applicable (e.g. B) or an OpenSSL OID name (e.g B). Group +names are case sensitive. The list should be in order of preference with the +most preferred group first. The first listed group will be the one used for a +key_share by a TLSv1.3 client. + +=item B<-curves> + +This is a synonym for the "-groups" command. + + =item B<-named_curve> This sets the temporary curve used for ephemeral ECDH modes. Only used by @@ -273,16 +293,24 @@ used to determine which signature algorithm to with the client certificate. The syntax of B is identical to B. If not set then the value set for B will be used instead. -=item B +=item B -This sets the supported elliptic curves. For clients the curves are -sent using the supported curves extension. For servers it is used -to determine which curve to use. This setting affects curves used for both -signatures and key exchange, if applicable. +This sets the supported groups. For clients, the groups are +sent using the supported groups extension. For servers, it is used +to determine which group to use. This setting affects groups used for both +signatures and key exchange, if applicable. It also affects the preferred +key_share sent by a client in a TLSv1.3 compatible connection. -The B argument is a colon separated list of curves. The curve can be -either the B name (e.g. B) or an OpenSSL OID name (e.g -B). Curve names are case sensitive. +The B argument is a colon separated list of groups. The group can be +either the B name (e.g. B), some other commonly used name where +applicable (e.g. B) or an OpenSSL OID name (e.g B). Group +names are case sensitive. The list should be in order of preference with the +most preferred group first. The first listed group will be the one used for a +key_share by a TLSv1.3 client. + +=item B + +This is a synonym for the "Groups" command. =item B -- 2.25.1