From 49cf2cd815d61e1399fe46f9532347f09c3ed2f9 Mon Sep 17 00:00:00 2001
From: Bruce Momjian <bruce@momjian.us>
Date: Tue, 27 May 2014 21:30:20 -0400
Subject: [PATCH] doc:  improve ssl_ecdh_curve descriptions

Patch by Marko Kreen
---
 doc/src/sgml/config.sgml      | 18 ++++++++++++++----
 doc/src/sgml/release-9.4.sgml | 11 ++++++-----
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index d9e5985a16a..4a666d0d2d9 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1020,13 +1020,23 @@ include 'filename'
       </term>
       <listitem>
        <para>
-        Specifies the name of the curve to use in ECDH key exchanges.  The
-        default is <literal>prime256p1</>.
+        Specifies the name of the curve to use in ECDH key exchange.
+        It needs to be supported by all clients that connect.
+        It does not need to be same curve as used by server's
+        Elliptic Curve key.  The default is <literal>prime256v1</>.  
        </para>
 
        <para>
-        The list of available curves can be shown with the command
-        <literal>openssl ecparam -list_curves</literal>.
+        OpenSSL names for most common curves:
+        <literal>prime256v1</> (NIST P-256),
+        <literal>secp384r1</> (NIST P-384),
+        <literal>secp521r1</> (NIST P-521).
+       </para>
+
+       <para>
+        The full list of available curves can be shown with the command
+        <literal>openssl ecparam -list_curves</literal>.  Not all of them
+        are usable in TLS though.
        </para>
       </listitem>
      </varlistentry>
diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml
index 24862fef381..ae059f88183 100644
--- a/doc/src/sgml/release-9.4.sgml
+++ b/doc/src/sgml/release-9.4.sgml
@@ -616,17 +616,18 @@
        </para>
 
        <para>
-        Such keys are faster and have improved security over previous
-        options. The new configuration
-        parameter <link linkend="guc-ssl-ecdh-curve"><varname>ssl_ecdh_curve</></link>
-        controls which curve is used.
+        This allows use of Elliptic Curve keys for server authentication.
+        Such keys are faster and have improved security over <acronym>RSA</> keys.
+        The new configuration parameter
+        <link linkend="guc-ssl-ecdh-curve"><varname>ssl_ecdh_curve</></link>
+        controls which curve is used for <acronym>ECDH</>.
        </para>
       </listitem>
 
       <listitem>
        <para>
         Improve the default <link
-        linkend="guc-ssl-ciphers"><varname>ssl_ciphers</></link> ciphers
+        linkend="guc-ssl-ciphers"><varname>ssl_ciphers</></link> value
         (Marko Kreen)
        </para>
       </listitem>
-- 
GitLab