Fix SSL_CTX_set1_groups documentation on preference orders
The documentation currently describes SSL_CTX_set1_groups as a preference order, but this does not match the typical interpretation of "preference order" in OpenSSL and TLS. Typically, an application can order more secure options ahead of less secure ones and pick up TLS's usual downgrade protection guarantees. TLS 1.3 servers need to balance an additional consideration: some options will perform worse than others due to key share prediction. The prototypical selection procedure is to first select the set of more secure options, then select the most performant among those. OpenSSL follows this procedure, but it *unconditionally* treats all configured curves as equivalent security. Per discussion on GitHub, OpenSSL's position is that this is an intended behavior. While not supported by built-in providers, OpenSSL now documents that external providers can extend the group list and CHANGES.md explicitly cites post-quantum as a use case. With post-quantum providers, it's unlikely that application developers actually wanted options to be equivalent security. To avoid security vulnerabilities arising from mismatched expectations, update the documentation to clarify the server behavior. Per the OTC decision in https://github.com/openssl/openssl/issues/22203#issuecomment-1744465829 , this documentation fix should be backported to stable branches. Reviewed-by:Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by:
Loading