From: Ryan Hooper <ryhooper@cisco.com>
Date: Thu, 28 Aug 2025 13:12:39 +0000 (-0400)
Subject: doc: Update documentation of SSL_CTX_set_dh_auto()
X-Git-Tag: openssl-3.0.18~38
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=42d539b9318787d65a4ce3545b7d820ba40cb5a4;p=thirdparty%2Fopenssl.git

doc: Update documentation of SSL_CTX_set_dh_auto()

Update the documentation of the dh_tmp_auto argument in
regards to its behavior when the argument value is 2.

Fixes #27606

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28366)

(cherry picked from commit 7600608eab0cd0a633e4d989d634590831b48a5d)
---

diff --git a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
index 4799ada6844..b4a35318fac 100644
--- a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
+++ b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
@@ -58,9 +58,11 @@ the actual key is newly generated during the negotiation.
 Typically applications should use well known DH parameters that have built-in
 support in OpenSSL. The macros SSL_CTX_set_dh_auto() and SSL_set_dh_auto()
 configure OpenSSL to use the default built-in DH parameters for the B<SSL_CTX>
-and B<SSL> objects respectively. Passing a value of 1 in the I<onoff> parameter
-switches the feature on, and passing a value of 0 switches it off. The default
-setting is off.
+and B<SSL> objects respectively. Passing a value of 2 or 1 in the I<onoff>
+parameter switches it on. If the I<onoff> parameter is set to 2, it will force
+the DH key size to 1024 if the B<SSL_CTX> or B<SSL> security level
+L<SSL_CTX_set_security_level(3)> is 0 or 1. Passing a value of 0 switches
+it off. The default setting is off.
 
 If "auto" DH parameters are switched on then the parameters will be selected to
 be consistent with the size of the key associated with the server's certificate.