37,39c37
< certificate and key. A RSA cipher can only be chosen, when a RSA certificate is
< available, the respective is valid for DSA ciphers. Ciphers using EDH need
< a certificate and key and DH-parameters.
---
> certificate and key.
40a39,56
> A RSA cipher can only be chosen, when a RSA certificate is available.
> RSA export ciphers with a keylength of 512 bits for the RSA key require
> a temporary 512 bit RSA key, as typically the supplied key has a length
> of 1024 bit (see
> L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
> RSA ciphers using EDH need a certificate and key and additional DH-parameters
> (see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
>
> A DSA cipher can only be chosen, when a DSA certificate is available.
> DSA ciphers always use DH key exchange and therefore need DH-parameters
> (see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
>
> When these conditions are not met for any cipher in the list (e.g. a
> client only supports export RSA ciphers with a asymmetric key length
> of 512 bits and the server is not configured to use temporary RSA
> keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
> and the handshake will fail.
>
49a66,67
> L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
> L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,
< certificate and key. A RSA cipher can only be chosen, when a RSA certificate is
< available, the respective is valid for DSA ciphers. Ciphers using EDH need
< a certificate and key and DH-parameters.
---
> certificate and key.
40a39,56
> A RSA cipher can only be chosen, when a RSA certificate is available.
> RSA export ciphers with a keylength of 512 bits for the RSA key require
> a temporary 512 bit RSA key, as typically the supplied key has a length
> of 1024 bit (see
> L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
> RSA ciphers using EDH need a certificate and key and additional DH-parameters
> (see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
>
> A DSA cipher can only be chosen, when a DSA certificate is available.
> DSA ciphers always use DH key exchange and therefore need DH-parameters
> (see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
>
> When these conditions are not met for any cipher in the list (e.g. a
> client only supports export RSA ciphers with a asymmetric key length
> of 512 bits and the server is not configured to use temporary RSA
> keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
> and the handshake will fail.
>
49a66,67
> L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
> L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,