discuss the change in Diffie-Hellman parameters.

2 files changed, 9 insertions, 2 deletions

diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi
index a2f4f35edb..acf88c24d0 100644
--- a/doc/cha-cert-auth2.texi
+++ b/doc/cha-cert-auth2.texi
@@ -287,7 +287,7 @@ example of a template file.
 @subheading Diffie-Hellman parameter generation
 To generate parameters for Diffie-Hellman key exchange, use the command:
 @example
-$ certtool --generate-dh-params --outfile dh.pem
+$ certtool --generate-dh-params --outfile dh.pem --sec-param normal
 @end example
 
 @subheading Self-signed certificate generation
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 6b408110ee..50efed2911 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -952,9 +952,16 @@ of Diffie-Hellman parameters we suggest against performing generation
 of them within an application. The @code{certtool} tool can be used to 
 generate or export known safe values that can be stored in code
 or in a configuration file to provide the ability to replace. We also
-recommend the usage of @funcref{gnutls_sec_param_to_pk_bits} (see @ref{Selecting cryptographic key sizes}) to determine
+recommend the usage of @funcref{gnutls_sec_param_to_pk_bits} 
+(see @ref{Selecting cryptographic key sizes}) to determine
 the bit size of the generated parameters.
 
+Note that the information stored in the generated PKCS #3 structure
+changed with GnuTLS 3.0.9. Since that version the @code{privateValueLength}
+member of the structure is set, allowing the server utilizing the
+parameters to use keys of the size of the security parameter. This
+provides better performance in key exchange.
+
 The ciphersuites that involve the RSA-EXPORT key exchange require
 additional parameters. Those ciphersuites are rarely used today
 because they are by design insecure, thus if you have no requirement