[Documentation] Increase bitlength recommendation for DH parameters

Also clarify the behaviour of TLS backends and the consequences for not providing any parameters at all. [ci skip]
2016-05-05 04:18:31 +00:00 · 2016-05-05 04:18:31 +00:00 · 9d6b870d7b
parent 70a70462e5
commit 9d6b870d7b
2 changed files with 6 additions and 2 deletions
--- a/doc/ircd.conf.example
+++ b/doc/ircd.conf.example
@ -72,7 +72,9 @@ serverinfo {
 	 * However it has been reported that some clients have broken TLS implementations which may
 	 * choke on keysizes larger than 2048-bit, so we would recommend using 2048-bit DH parameters
 	 * for now if your keys are larger than 2048-bit.
-	 */
+	 *
+	 * If you do not provide parameters, some TLS backends will fail on DHE- ciphers,
+	 * and some will succeed but use weak, common DH groups! */
 	ssl_dh_params = "etc/dh.pem";

 	/* ssld_count: number of ssld processes you want to start, if you
--- a/doc/reference.conf
+++ b/doc/reference.conf
@ -154,7 +154,9 @@ serverinfo {
 	/* ssl_private_key: our ssl private key (if not contained in ssl_cert file) */
 	#ssl_private_key = "etc/ssl.key";

-	/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
+	/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 2048 */
+	/* If you do not provide parameters, some TLS backends will fail on DHE- ciphers,
+	   and some will succeed but use weak, common DH groups! */
 	ssl_dh_params = "etc/dh.pem";

 	/* ssl_cipher_list: A list of ciphers, dependent on your TLS backend */