From 09c5e6a9f36134c4f388de3202f2ab3cb2da1f64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Mon, 6 Mar 2023 16:29:19 +0100 Subject: [PATCH] doc: fix description of TLS dhparam option The dhparam option is not required for perfect forward secrecy in general. It is only required for non-ECDHE secrecy, but ECDHE-based secrecy is generally preferred anyway. PR-URL: https://github.com/nodejs/node/pull/46949 Reviewed-By: Luigi Pinca Reviewed-By: Filip Skokan --- doc/api/tls.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/api/tls.md b/doc/api/tls.md index 65d1eb7be499d0..34d3a9a96da672 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -1880,12 +1880,13 @@ changes: client certificate. * `crl` {string|string\[]|Buffer|Buffer\[]} PEM formatted CRLs (Certificate Revocation Lists). - * `dhparam` {string|Buffer} Diffie-Hellman parameters, required for + * `dhparam` {string|Buffer} Diffie-Hellman parameters, required for non-ECDHE [perfect forward secrecy][]. Use `openssl dhparam` to create the parameters. The key length must be greater than or equal to 1024 bits or else an error will be thrown. Although 1024 bits is permissible, use 2048 bits or larger for stronger security. If omitted or invalid, the parameters are silently - discarded and DHE ciphers will not be available. + discarded and DHE ciphers will not be available. [ECDHE][]-based [perfect + forward secrecy][] will still be available. * `ecdhCurve` {string} A string describing a named curve or a colon separated list of curve NIDs or names, for example `P-521:P-384:P-256`, to use for ECDH key agreement. Set to `auto` to select the