ITS#7506 more doc updates

This commit is contained in:
Howard Chu 2013-09-07 06:50:30 -07:00
parent 056bd0acf9
commit 63926362a9
2 changed files with 17 additions and 11 deletions

View File

@ -920,12 +920,15 @@ browser. Press 'Enter' for the new password.
.B olcTLSDHParamFile: <filename>
This directive specifies the file that contains parameters for Diffie-Hellman
ephemeral key exchange. This is required in order to use a DSA certificate on
the server. If multiple sets of parameters are present in the file, all of
them will be processed. Note that setting this option may also enable
the server, or an RSA certificate missing the "key encipherment" key usage.
Note that setting this option may also enable
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
You should append "!ADH" to your cipher suites if you have changed them
from the default, otherwise no certificate exchanges or verification will
be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly
Anonymous key exchanges should generally be avoided since they provide no
actual client or server authentication and provide no protection against
man-in-the-middle attacks.
You should append "!ADH" to your cipher suites to ensure that these suites
are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
.B olcTLSProtocolMin: <major>[.<minor>]

View File

@ -1151,13 +1151,16 @@ browser. Press 'Enter' for the new password.
.B TLSDHParamFile <filename>
This directive specifies the file that contains parameters for Diffie-Hellman
ephemeral key exchange. This is required in order to use a DSA certificate on
the server. If multiple sets of parameters are present in the file, all of
them will be processed. Note that setting this option may also enable
the server, or an RSA certificate missing the "key encipherment" key usage.
Note that setting this option may also enable
Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites.
You should append "!ADH" to your cipher suites if you have changed them
from the default, otherwise no certificate exchanges or verification will
be done. When using GnuTLS these parameters are always generated randomly so
this directive is ignored. This directive is ignored when using Mozilla NSS.
Anonymous key exchanges should generally be avoided since they provide no
actual client or server authentication and provide no protection against
man-in-the-middle attacks.
You should append "!ADH" to your cipher suites to ensure that these suites
are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
.B TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.