From: Bruce Momjian Date: Wed, 28 May 2014 01:30:20 +0000 (-0400) Subject: doc: improve ssl_ecdh_curve descriptions X-Git-Tag: REL9_4_BETA2~136 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=49cf2cd815d61e1399fe46f9532347f09c3ed2f9;p=postgresql doc: improve ssl_ecdh_curve descriptions Patch by Marko Kreen --- diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index d9e5985a16..4a666d0d2d 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1020,13 +1020,23 @@ include 'filename' - Specifies the name of the curve to use in ECDH key exchanges. The - default is prime256p1. + Specifies the name of the curve to use in ECDH key exchange. + It needs to be supported by all clients that connect. + It does not need to be same curve as used by server's + Elliptic Curve key. The default is prime256v1. - The list of available curves can be shown with the command - openssl ecparam -list_curves. + OpenSSL names for most common curves: + prime256v1 (NIST P-256), + secp384r1 (NIST P-384), + secp521r1 (NIST P-521). + + + + The full list of available curves can be shown with the command + openssl ecparam -list_curves. Not all of them + are usable in TLS though. diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml index 24862fef38..ae059f8818 100644 --- a/doc/src/sgml/release-9.4.sgml +++ b/doc/src/sgml/release-9.4.sgml @@ -616,17 +616,18 @@ - Such keys are faster and have improved security over previous - options. The new configuration - parameter ssl_ecdh_curve - controls which curve is used. + This allows use of Elliptic Curve keys for server authentication. + Such keys are faster and have improved security over RSA keys. + The new configuration parameter + ssl_ecdh_curve + controls which curve is used for ECDH. Improve the default ssl_ciphers ciphers + linkend="guc-ssl-ciphers">ssl_ciphers value (Marko Kreen)