Skip to content

Commit

Permalink
doc: fix description of TLS dhparam option
Browse files Browse the repository at this point in the history
The dhparam option is not required for perfect forward secrecy in
general. It is only required for non-ECDHE secrecy, but ECDHE-based
secrecy is generally preferred anyway.

PR-URL: #46949
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
  • Loading branch information
tniessen authored Mar 6, 2023
1 parent 070e773 commit 00981ea
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions doc/api/tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -1882,12 +1882,13 @@ changes:
client certificate.
* `crl` {string|string\[]|Buffer|Buffer\[]} PEM formatted CRLs (Certificate
Revocation Lists).
* `dhparam` {string|Buffer} Diffie-Hellman parameters, required for
* `dhparam` {string|Buffer} Diffie-Hellman parameters, required for non-ECDHE
[perfect forward secrecy][]. Use `openssl dhparam` to create the parameters.
The key length must be greater than or equal to 1024 bits or else an error
will be thrown. Although 1024 bits is permissible, use 2048 bits or larger
for stronger security. If omitted or invalid, the parameters are silently
discarded and DHE ciphers will not be available.
discarded and DHE ciphers will not be available. [ECDHE][]-based [perfect
forward secrecy][] will still be available.
* `ecdhCurve` {string} A string describing a named curve or a colon separated
list of curve NIDs or names, for example `P-521:P-384:P-256`, to use for
ECDH key agreement. Set to `auto` to select the
Expand Down

0 comments on commit 00981ea

Please sign in to comment.