From af22f1ed09fcce06c20d39df9bb9f1478e5ddabc Mon Sep 17 00:00:00 2001 From: Heikki Linnakangas Date: Mon, 31 Jul 2017 14:23:17 +0300 Subject: [PATCH 2/2] Update release notes for the DH parameter changes. --- doc/src/sgml/release-10.sgml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/doc/src/sgml/release-10.sgml b/doc/src/sgml/release-10.sgml index cf743aa2f7..b5ee88984e 100644 --- a/doc/src/sgml/release-10.sgml +++ b/doc/src/sgml/release-10.sgml @@ -408,6 +408,43 @@ + + Add configuration option to + specify filename for custom OpenSSL DH parameters (Heikki Linnakangas) + + + + This replaces the hardcoded, undocumented dh1024.pem + filename. Note that dh1024.pem is no longer used by default; + you must set the option to use custom DH parameters. + + + + + + + Increase the size of DH parameters used for OpenSSL ephemeral DH ciphers + to 2048 bits (Heikki Linnakangas) + + + + The size of the compiled-in DH parameters has been increased from 1024 + to 2048 bits, making DH key exchange more resistent to a brute-force + attack. However, some old SSL implementations, notably some revisions of + Java Runtime Environment version 6, will not accept DH parameters longer + than 1024 bits, and will not be able to connect over SSL. As a + work-around, you can use custom 1024-bit DH parameters, instead of the + compiled-in defaults. See for + information on using custom DH parameters. + + + + + -- 2.11.0