From: Ben Jencks <ben@bjencks.net>
Date: Sun, 27 Jan 2013 23:42:17 +0000 (-0500)
Subject: ITS#7506 DHParamFile: Update docs
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=056bd0acf90337c3c599c84e352bf27b940373d2;p=openldap

ITS#7506 DHParamFile: Update docs

Update docs to reflect changes in handling and fix some errors.
---

diff --git a/doc/guide/admin/tls.sdf b/doc/guide/admin/tls.sdf
index 00bf83ce26..cd8343da97 100644
--- a/doc/guide/admin/tls.sdf
+++ b/doc/guide/admin/tls.sdf
@@ -188,18 +188,20 @@ and it doesn't need very much data to work.
 
 This directive is ignored with GnuTLS and Mozilla NSS.
 
-H4: TLSEphemeralDHParamFile <filename>
+H4: TLSDHParamFile <filename>
 
 This directive specifies the file that contains parameters for
 Diffie-Hellman ephemeral key exchange.  This is required in order
-to use a DSA certificate on the server side (i.e.
-{{EX:TLSCertificateKeyFile}} points to a DSA key).  Multiple sets
-of parameters can be included in the file; all of them will be
-processed.  Parameters can be generated using the following command
+to use DHE-based cipher suites, including all DSA-based suites (i.e.
+{{EX:TLSCertificateKeyFile}} points to a DSA key), and RSA when the 'key
+encipherment' key usage is not specified in the certificate.  Parameters can be
+generated using the following command
 
 >	openssl dhparam [-dsaparam] -out <filename> <numbits>
+or
+>	certtool --generate-dh-params --bits <numbits> --outfile <filename>
 
-This directive is ignored with GnuTLS and Mozilla NSS.
+This directive is ignored with Mozilla NSS.
 
 H4: TLSVerifyClient { never | allow | try | demand }