diff options
author | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2014-05-12 14:17:22 -0400 |
---|---|---|
committer | Kurt Roeckx <kurt@roeckx.be> | 2014-11-10 10:58:49 +0100 |
commit | 0ec6898c67aeddc3c414f3cc1af2275d81329c20 (patch) | |
tree | c4830e7fa7f797e531264e13112454131edf0d8e /doc | |
parent | 1e10aee2a7381ffa1680d6239bdb6cf164d8ba1c (diff) | |
download | openssl-new-0ec6898c67aeddc3c414f3cc1af2275d81329c20.tar.gz |
Allow ECDHE and DHE as forward-compatible aliases for EECDH and EDH
see RT #3203
Future versions of OpenSSL use the canonical terms "ECDHE" and "DHE"
as configuration strings and compilation constants. This patch
introduces aliases so that the stable 1.0.2 branch can be
forward-compatible with code and configuration scripts that use the
normalized terms, while avoiding changing any library output for
stable users.
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/apps/ciphers.pod | 8 | ||||
-rw-r--r-- | doc/ssl/SSL_CIPHER_get_name.pod | 13 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_cipher_list.pod | 2 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_options.pod | 2 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | 2 | ||||
-rw-r--r-- | doc/ssleay.txt | 2 |
6 files changed, 20 insertions, 9 deletions
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index 695a7df12b..4eeb55be2c 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -177,12 +177,12 @@ cipher suites using RSA key exchange. cipher suites using DH key agreement and DH certificates signed by CAs with RSA and DSS keys or either respectively. -=item B<kEDH> +=item B<kDHE>, B<kEDH> cipher suites using ephemeral DH key agreement, including anonymous cipher suites. -=item B<EDH> +=item B<DHE>, B<EDH> cipher suites using authenticated ephemeral DH key agreement. @@ -200,12 +200,12 @@ cipher suites using DH, including anonymous DH, ephemeral DH and fixed DH. cipher suites using fixed ECDH key agreement signed by CAs with RSA and ECDSA keys or either respectively. -=item B<kEECDH> +=item B<kECDHE>, B<kEECDH> cipher suites using ephemeral ECDH key agreement, including anonymous cipher suites. -=item B<EECDHE> +=item B<ECDHE>, B<EECDH> cipher suites using authenticated ephemeral ECDH key agreement. diff --git a/doc/ssl/SSL_CIPHER_get_name.pod b/doc/ssl/SSL_CIPHER_get_name.pod index 2e113be606..c598f4d4ce 100644 --- a/doc/ssl/SSL_CIPHER_get_name.pod +++ b/doc/ssl/SSL_CIPHER_get_name.pod @@ -109,6 +109,16 @@ If SSL_CIPHER_description() cannot handle a built-in cipher, the according description of the cipher property is B<unknown>. This case should not occur. +The standard terminology for ephemeral Diffie-Hellman schemes is DHE +(finite field) or ECDHE (elliptic curve). This version of OpenSSL +idiosyncratically reports these schemes as EDH and EECDH, even though +it also accepts the standard terminology. + +It is recommended to use the standard terminology (DHE and ECDHE) +during configuration (e.g. via SSL_CTX_set_cipher_list) for clarity of +configuration. OpenSSL versions after 1.0.2 will report the standard +terms via SSL_CIPHER_get_name and SSL_CIPHER_description. + =head1 RETURN VALUES See DESCRIPTION @@ -116,6 +126,7 @@ See DESCRIPTION =head1 SEE ALSO L<ssl(3)|ssl(3)>, L<SSL_get_current_cipher(3)|SSL_get_current_cipher(3)>, -L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, L<ciphers(1)|ciphers(1)> +L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, L<ciphers(1)|ciphers(1)>, +L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)> =cut diff --git a/doc/ssl/SSL_CTX_set_cipher_list.pod b/doc/ssl/SSL_CTX_set_cipher_list.pod index bd4df4abd4..c84a8314be 100644 --- a/doc/ssl/SSL_CTX_set_cipher_list.pod +++ b/doc/ssl/SSL_CTX_set_cipher_list.pod @@ -41,7 +41,7 @@ RSA export ciphers with a keylength of 512 bits for the RSA key require a temporary 512 bit RSA key, as typically the supplied key has a length of 1024 bit (see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>). -RSA ciphers using EDH need a certificate and key and additional DH-parameters +RSA ciphers using DHE need a certificate and key and additional DH-parameters (see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). A DSA cipher can only be chosen, when a DSA certificate is available. diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 6e6b5e6d80..7551755f6f 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -165,7 +165,7 @@ can only be used for signature operations (namely under export ciphers with restricted RSA keylength). By setting this option, ephemeral RSA keys are always used. This option breaks compatibility with the SSL/TLS specifications and may lead to interoperability problems with -clients and should therefore never be used. Ciphers with EDH (ephemeral +clients and should therefore never be used. Ciphers with DHE (ephemeral Diffie-Hellman) key exchange should be used instead. =item SSL_OP_CIPHER_SERVER_PREFERENCE diff --git a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod index 534643cd9d..b23e43a963 100644 --- a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod +++ b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod @@ -70,7 +70,7 @@ the TLS standard, when the RSA key can be used for signing only, that is for export ciphers. Using ephemeral RSA key exchange for other purposes violates the standard and can break interoperability with clients. It is therefore strongly recommended to not use ephemeral RSA key -exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead +exchange and use DHE (Ephemeral Diffie-Hellman) key exchange instead in order to achieve forward secrecy (see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). diff --git a/doc/ssleay.txt b/doc/ssleay.txt index 4d2e714868..c9b29bd97f 100644 --- a/doc/ssleay.txt +++ b/doc/ssleay.txt @@ -6026,7 +6026,7 @@ one at a time, or use 'aliases' to specify the preference and order for the ciphers. There are a large number of aliases, but the most importaint are -kRSA, kDHr, kDHd and kEDH for key exchange types. +kRSA, kDHr, kDHd and kDHE for key exchange types. aRSA, aDSS, aNULL and aDH for authentication DES, 3DES, RC4, RC2, IDEA and eNULL for ciphers |