From 4427b515e6195bd2304e082ea5a5c5d6d36c4eb5 Mon Sep 17 00:00:00 2001 From: Heikki Linnakangas Date: Mon, 31 Jul 2017 22:47:07 +0300 Subject: [PATCH] Doc: add v10 release notes entries for the DH parameter changes. --- doc/src/sgml/release-10.sgml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/doc/src/sgml/release-10.sgml b/doc/src/sgml/release-10.sgml index cf743aa2f7..8e5cb54931 100644 --- a/doc/src/sgml/release-10.sgml +++ b/doc/src/sgml/release-10.sgml @@ -408,6 +408,43 @@ + + Add configuration option to + specify filename for custom OpenSSL DH parameters (Heikki Linnakangas) + + + + This replaces the hardcoded, undocumented dh1024.pem + filename. Note that dh1024.pem is no longer used by default; + you must set the option to use custom DH parameters. + + + + + + + Increase the size of DH parameters used for OpenSSL ephemeral DH ciphers + to 2048 bits (Heikki Linnakangas) + + + + The size of the compiled-in DH parameters has been increased from 1024 + to 2048 bits, making DH key exchange more resistent to a brute-force + attack. However, some old SSL implementations, notably some revisions of + Java Runtime Environment version 6, will not accept DH parameters longer + than 1024 bits, and will not be able to connect over SSL. As a + work-around, you can use custom 1024-bit DH parameters, instead of the + compiled-in defaults. See for + information on using custom DH parameters. + + + + + -- 2.40.0