On Fri, May 01, 2020 at 02:33:38PM +0200, Sebastian Benoit wrote: > Indeed it has to specified as auto, none or legacy. > > I cant see how this could ever have worked, i believe the documentation was > always wrong. One suggestion inline, OK kn either way.
> Index: relayd.conf.5 > =================================================================== > RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v > retrieving revision 1.195 > diff -u -p -r1.195 relayd.conf.5 > --- relayd.conf.5 23 Apr 2020 21:28:10 -0000 1.195 > +++ relayd.conf.5 1 May 2020 12:30:30 -0000 > @@ -960,17 +960,22 @@ suites, in order of preference. > The special value of "default" will use the default curves; see > .Xr tls_config_set_ecdhecurves 3 > for further details. > -.It Ic edh Op Ic params Ar maximum > +.It Ic edh Op Ic params Pq Ic none Ns | Ns Ic auto Ns | Ns Ic legacy > Enable EDH-based cipher suites with Perfect Forward Secrecy (PFS) for > older clients that do not support ECDHE. > -If the > -.Ar maximum > -length of the DH params for EDH is not specified, the default value of > -1024 bits will be used. > -Other possible values are numbers between 1024 and 8192, including > -1024, 1536, 2048, 4096, or 8192. > -Values higher than 1024 bits can cause incompatibilities with older > -TLS clients. > +In > +.Ic auto > +mode, the key size of the ephemeral key is automatically selected > +based on the size of the private key used for signing. > +In > +.Ic legacy > +mode, a 1024 bit ephemeral key is used. > +If > +.Ic edh > +is enabled without specifiying the > +.Ic params , Perhaps just If .Ic params is omitted, > +.Ic auto > +is used. > The default is > .Ic no edh . > .It Ic keypair Ar name >
