1 files changed, 7 insertions, 26 deletions

diff --git a/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
index a88137c..7d89bbb 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.30)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_tmp_dh_callback 3"
-.TH SSL_CTX_set_tmp_dh_callback 3 "2015-12-03" "1.0.1q" "OpenSSL"
+.TH SSL_CTX_set_tmp_dh_callback 3 "2016-01-28" "1.0.1r" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -184,25 +184,8 @@ even if he gets hold of the normal (certified) key, as this key was
 only used for signing.
 .PP
 In order to perform a \s-1DH\s0 key exchange the server must use a \s-1DH\s0 group
-(\s-1DH\s0 parameters) and generate a \s-1DH\s0 key.
-The server will always generate a new \s-1DH\s0 key during the negotiation
-if either the \s-1DH\s0 parameters are supplied via callback or the
-\&\s-1SSL_OP_SINGLE_DH_USE\s0 option of \fISSL_CTX_set_options\fR\|(3) is set (or both).
-It will  immediately create a \s-1DH\s0 key if \s-1DH\s0 parameters are supplied via
-\&\fISSL_CTX_set_tmp_dh()\fR and \s-1SSL_OP_SINGLE_DH_USE\s0 is not set.
-In this case,
-it may happen that a key is generated on initialization without later
-being needed, while on the other hand the computer time during the
-negotiation is being saved.
-.PP
-If \*(L"strong\*(R" primes were used to generate the \s-1DH\s0 parameters, it is not strictly
-necessary to generate a new key for each handshake but it does improve forward
-secrecy. If it is not assured that \*(L"strong\*(R" primes were used,
-\&\s-1SSL_OP_SINGLE_DH_USE\s0 must be used in order to prevent small subgroup
-attacks. Always using \s-1SSL_OP_SINGLE_DH_USE\s0 has an impact on the
-computer time needed during negotiation, but it is not very large, so
-application authors/users should consider always enabling this option.
-The option is required to implement perfect forward secrecy (\s-1PFS\s0).
+(\s-1DH\s0 parameters) and generate a \s-1DH\s0 key. The server will always generate
+a new \s-1DH\s0 key during the negotiation.
 .PP
 As generating \s-1DH\s0 parameters is extremely time consuming, an application
 should not generate the parameters on the fly but supply the parameters.
@@ -229,10 +212,9 @@ can supply the \s-1DH\s0 parameters via a callback function.
 Previous versions of the callback used \fBis_export\fR and \fBkeylength\fR
 parameters to control parameter generation for export and non-export
 cipher suites. Modern servers that do not support export ciphersuites
-are advised to either use \fISSL_CTX_set_tmp_dh()\fR in combination with
-\&\s-1SSL_OP_SINGLE_DH_USE,\s0 or alternatively, use the callback but ignore
-\&\fBkeylength\fR and \fBis_export\fR and simply supply at least 2048\-bit
-parameters in the callback.
+are advised to either use \fISSL_CTX_set_tmp_dh()\fR or alternatively, use
+the callback but ignore \fBkeylength\fR and \fBis_export\fR and simply
+supply at least 2048\-bit parameters in the callback.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Setup \s-1DH\s0 parameters with a key length of 2048 bits. (Error handling
@@ -264,7 +246,6 @@ partly left out.)
 \& if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) {
 \&   /* Error. */
 \& }
-\& SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
 \& ...
 .Ve
 .SH "RETURN VALUES"