Document `SSL_OP_PREFER_NO_DHE_KEX` option.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22794)

doc/man1/openssl-s_client.pod.in

@@ -93,6 +93,7 @@ B<openssl> B<s_client>
 [B<-legacy_server_connect>]
 [B<-no_legacy_server_connect>]
 [B<-allow_no_dhe_kex>]
+[B<-prefer_no_dhe_kex>]
 [B<-sigalgs> I<sigalglist>]
 [B<-curves> I<curvelist>]
 [B<-cipher> I<cipherlist>]

doc/man1/openssl-s_server.pod.in

@@ -102,6 +102,7 @@ B<openssl> B<s_server>
 [B<-no_renegotiation>]
 [B<-no_resumption_on_reneg>]
 [B<-allow_no_dhe_kex>]
+[B<-prefer_no_dhe_kex>]
 [B<-prioritize_chacha>]
 [B<-strict>]
 [B<-sigalgs> I<val>]

doc/man3/SSL_CONF_cmd.pod

@@ -95,6 +95,12 @@ Only used by servers. Requires B<-serverpref>.
 In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
 that there will be no forward secrecy for the resumed session.
 
+=item B<-prefer_no_dhe_kex>
+
+In TLSv1.3, on resumption let the server prefer a non-(ec)dhe based key
+exchange mode over an (ec)dhe based one. Requires B<-allow_no_dhe_kex>.
+Equivalent to B<SSL_OP_PREFER_NO_DHE_KEX>. Only used by servers.
+
 =item B<-strict>
 
 Enables strict mode protocol handling. Equivalent to setting
@@ -523,6 +529,11 @@ B<AllowNoDHEKEX>: In TLSv1.3 allow a non-(ec)dhe based key exchange mode on
 resumption. This means that there will be no forward secrecy for the resumed
 session. Equivalent to B<SSL_OP_ALLOW_NO_DHE_KEX>.
 
+B<PreferNoDHEKEX>: In TLSv1.3, on resumption let the server prefer a
+non-(ec)dhe based key exchange mode over an (ec)dhe based one. Requires
+B<AllowNoDHEKEX>. Equivalent to B<SSL_OP_PREFER_NO_DHE_KEX>. Only used by
+servers.
+
 B<MiddleboxCompat>: If set then dummy Change Cipher Spec (CCS) messages are sent
 in TLSv1.3. This has the effect of making TLSv1.3 look more like TLSv1.2 so that
 middleboxes that do not understand TLSv1.3 will not drop the connection. This

doc/man3/SSL_CTX_set_options.pod

@@ -110,6 +110,12 @@ this option to enable it.
 In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
 that there will be no forward secrecy for the resumed session.
 
+=item SSL_OP_PREFER_NO_DHE_KEX
+
+In TLSv1.3, on resumption let the server prefer a non-(ec)dhe based key
+exchange mode over an (ec)dhe based one. Ignored without B<SSL_OP_ALLOW_NO_DHE_KEX>
+being set as well. Always ignored on the client.
+
 =item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
 
 Allow legacy insecure renegotiation between OpenSSL and unpatched clients or

doc/perlvars.pm

@@ -187,6 +187,7 @@ $OpenSSL::safe::opt_s_synopsis = ""
 . "[B<-no_legacy_server_connect>]\n"
 . "[B<-no_etm>]\n"
 . "[B<-allow_no_dhe_kex>]\n"
+. "[B<-prefer_no_dhe_kex>]\n"
 . "[B<-prioritize_chacha>]\n"
 . "[B<-strict>]\n"
 . "[B<-sigalgs> I<algs>]\n"
@@ -207,7 +208,8 @@ $OpenSSL::safe::opt_s_item = ""
 . "B<-legacy_renegotiation>, B<-no_renegotiation>,\n"
 . "B<-no_resumption_on_reneg>,\n"
 . "B<-legacy_server_connect>, B<-no_legacy_server_connect>, B<-no_etm>\n"
-. "B<-allow_no_dhe_kex>, B<-prioritize_chacha>, B<-strict>, B<-sigalgs>\n"
+. "B<-allow_no_dhe_kex>, B<-prefer_no_dhe_kex>,\n"
+. "B<-prioritize_chacha>, B<-strict>, B<-sigalgs>\n"
 . "I<algs>, B<-client_sigalgs> I<algs>, B<-groups> I<groups>, B<-curves>\n"
 . "I<curves>, B<-named_curve> I<curve>, B<-cipher> I<ciphers>, B<-ciphersuites>\n"
 . "I<1.3ciphers>, B<-min_protocol> I<minprot>, B<-max_protocol> I<maxprot>,\n"