added PFS to --secure-protocol

[wget] / doc / wget.texi

diff --git a/doc/wget.texi b/doc/wget.texi
index cced7edda118e268b6f290ae272380179044dbce..0b867758d711971d1ee736e6f82b5f9b7f0d7a29 100644 (file)
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -1595,16 +1595,21 @@ without SSL support, none of these options are available.
 @cindex SSL protocol, choose
 @item --secure-protocol=@var{protocol}
 Choose the secure protocol to be used.  Legal values are @samp{auto},
-@samp{SSLv2}, @samp{SSLv3}, and @samp{TLSv1}.  If @samp{auto} is used,
-the SSL library is given the liberty of choosing the appropriate
+@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1} and @samp{PFS}.  If @samp{auto}
+is used, the SSL library is given the liberty of choosing the appropriate
 protocol automatically, which is achieved by sending an SSLv2 greeting
 and announcing support for SSLv3 and TLSv1.  This is the default.
 
 Specifying @samp{SSLv2}, @samp{SSLv3}, or @samp{TLSv1} forces the use
 of the corresponding protocol.  This is useful when talking to old and
-buggy SSL server implementations that make it hard for OpenSSL to
-choose the correct protocol version.  Fortunately, such servers are
-quite rare.
+buggy SSL server implementations that make it hard for the underlying
+SSL library to choose the correct protocol version.  Fortunately, such
+servers are quite rare.
+
+Specifying @samp{PFS} enforces the use of the so-called Perfect Forward
+Security cipher suites. In short, PFS adds security by creating a one-time
+key for each SSL connection. It has a bit more CPU impact on client and server.
+We use known to be secure ciphers (e.g. no MD4) and the TLS protocol.
 
 @item --https-only
 When in recursive mode, only HTTPS links are followed.