From: Nikos Mavrogiannopoulos Date: Mon, 29 Aug 2011 19:02:11 +0000 (+0200) Subject: doc updates X-Git-Tag: gnutls_3_0_2~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f98518f0198da3306cdcc49545f34bb83849ce03;p=thirdparty%2Fgnutls.git doc updates --- diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 3d115bbf01..ea43ddeb98 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -687,13 +687,15 @@ information about it. Several TLS ciphersuites require additional parameters that need to be generated or provided by the application. The Diffie-Hellman based ciphersuites (ANON-DH or DHE), require -the group information to be provided. This information can be either +the group parameters to be provided. Those can either be be generated on the fly using @funcref{gnutls_dh_params_generate2} -or imported from some pregenerated value using @funcref{gnutls_dh_params_import_pkcs3}. -The parameters can be used in a session by calling +or imported from pregenerated data using @funcref{gnutls_dh_params_import_pkcs3}. +The parameters can be used in a @acronym{TLS} session by calling @funcref{gnutls_certificate_set_dh_params} or @funcref{gnutls_anon_set_server_dh_params} for anonymous sessions. +@showfuncB{gnutls_dh_params_init,gnutls_dh_params_deinit} + @showfuncD{gnutls_dh_params_generate2,gnutls_dh_params_import_pkcs3,gnutls_certificate_set_dh_params,gnutls_anon_set_server_dh_params} Due to the time-consuming calculations required for the generation @@ -702,16 +704,18 @@ of them within an application. The @code{certtool} tool can be used to generate or export known safe values that can be stored in code or in a configuration file to provide the ability to replace. We also recommend the usage of @funcref{gnutls_sec_param_to_pk_bits} (see @ref{Selecting cryptographic key sizes}) to determine -the bit size of the parameters to be generated. +the bit size of the generated parameters. The ciphersuites that involve the RSA-EXPORT key exchange require additional parameters. Those ciphersuites are rarely used today because they are by design insecure, thus if you have no requirement -for them, this section should be skipped. The RSA-EXPORT key exchange +for them, the rest of this section can be skipped. The RSA-EXPORT key exchange requires 512-bit RSA keys to be generated. It is recommended those parameters to be refreshed (regenerated) in short intervals. The following functions can be used for these parameters. +@showfuncB{gnutls_rsa_params_init,gnutls_rsa_params_deinit} + @showfuncD{gnutls_rsa_params_generate2,gnutls_certificate_set_rsa_export_params,gnutls_rsa_params_import_pkcs1,gnutls_rsa_params_export_pkcs1} To allow renewal of the parameters within an application without