ITS#7506 DHParamFile: Update docs

author Ben Jencks <ben@bjencks.net>

Sun, 27 Jan 2013 23:42:17 +0000 (18:42 -0500)

committer Howard Chu <hyc@openldap.org>

Sat, 7 Sep 2013 13:42:28 +0000 (06:42 -0700)
author Ben Jencks <ben@bjencks.net>
Sun, 27 Jan 2013 23:42:17 +0000 (18:42 -0500)
committer Howard Chu <hyc@openldap.org>
Sat, 7 Sep 2013 13:42:28 +0000 (06:42 -0700)
diff --git a/doc/guide/admin/tls.sdf b/doc/guide/admin/tls.sdf

index 00bf83ce262872a7a4a35902e476d94a9d1a38fa..cd8343da9713164e88660e25959da793c73fb97d 100644 (file)
--- a/doc/guide/admin/tls.sdf
+++ b/doc/guide/admin/tls.sdf
@@ -188,18 +188,20 @@ and it doesn't need very much data to work.
  
  This directive is ignored with GnuTLS and Mozilla NSS.
  
-H4: TLSEphemeralDHParamFile <filename>
+H4: TLSDHParamFile <filename>
  
  This directive specifies the file that contains parameters for
  Diffie-Hellman ephemeral key exchange.  This is required in order
-to use a DSA certificate on the server side (i.e.
-{{EX:TLSCertificateKeyFile}} points to a DSA key).  Multiple sets
-of parameters can be included in the file; all of them will be
-processed.  Parameters can be generated using the following command
+to use DHE-based cipher suites, including all DSA-based suites (i.e.
+{{EX:TLSCertificateKeyFile}} points to a DSA key), and RSA when the 'key
+encipherment' key usage is not specified in the certificate.  Parameters can be
+generated using the following command
  
  >      openssl dhparam [-dsaparam] -out <filename> <numbits>
+or
+>      certtool --generate-dh-params --bits <numbits> --outfile <filename>
  
-This directive is ignored with GnuTLS and Mozilla NSS.
+This directive is ignored with Mozilla NSS.
  
  H4: TLSVerifyClient { never | allow | try | demand }
author	Ben Jencks <ben@bjencks.net>
	Sun, 27 Jan 2013 23:42:17 +0000 (18:42 -0500)
committer	Howard Chu <hyc@openldap.org>
	Sat, 7 Sep 2013 13:42:28 +0000 (06:42 -0700)