From 1606d30832dcea8cb3653f0369b579d47c63ff7f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
Date: Sat, 4 Mar 2023 16:11:59 +0100
Subject: [PATCH] doc: fix description of TLS dhparam option

The dhparam option is not required for perfect forward secrecy in
general. It is only required for non-ECDHE secrecy, but ECDHE-based
secrecy is generally preferred anyway.
---
 doc/api/tls.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/api/tls.md b/doc/api/tls.md
index a9763c73426673..7cbcee6ad3a0b6 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -1882,12 +1882,13 @@ changes:
     client certificate.
   * `crl` {string|string\[]|Buffer|Buffer\[]} PEM formatted CRLs (Certificate
     Revocation Lists).
-  * `dhparam` {string|Buffer} Diffie-Hellman parameters, required for
+  * `dhparam` {string|Buffer} Diffie-Hellman parameters, required for non-ECDHE
     [perfect forward secrecy][]. Use `openssl dhparam` to create the parameters.
     The key length must be greater than or equal to 1024 bits or else an error
     will be thrown. Although 1024 bits is permissible, use 2048 bits or larger
     for stronger security. If omitted or invalid, the parameters are silently
-    discarded and DHE ciphers will not be available.
+    discarded and DHE ciphers will not be available. [ECDHE][]-based [perfect
+    forward secrecy][] will still be available.
   * `ecdhCurve` {string} A string describing a named curve or a colon separated
     list of curve NIDs or names, for example `P-521:P-384:P-256`, to use for
     ECDH key agreement. Set to `auto` to select the