From 282050c596715ac6872b16fa6bdf9720647cffcd Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Thu, 23 Sep 2021 11:45:10 +0900
Subject: [PATCH] Update manual pages

---
 doc/h2load.1      |  2 +-
 doc/nghttp.1      |  2 +-
 doc/nghttpd.1     |  2 +-
 doc/nghttpx.1     | 46 +++++++++++++++++++++++++++++++++++++---------
 doc/nghttpx.1.rst | 43 +++++++++++++++++++++++++++++++++++--------
 5 files changed, 75 insertions(+), 20 deletions(-)

diff --git a/doc/h2load.1 b/doc/h2load.1
index 79b2cbda..8ebff2bb 100644
--- a/doc/h2load.1
+++ b/doc/h2load.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "H2LOAD" "1" "Sep 20, 2021" "1.45.0" "nghttp2"
+.TH "H2LOAD" "1" "Sep 23, 2021" "1.46.0-DEV" "nghttp2"
 .SH NAME
 h2load \- HTTP/2 benchmarking tool
 .
diff --git a/doc/nghttp.1 b/doc/nghttp.1
index f0d2704e..8915a1fd 100644
--- a/doc/nghttp.1
+++ b/doc/nghttp.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTP" "1" "Sep 20, 2021" "1.45.0" "nghttp2"
+.TH "NGHTTP" "1" "Sep 23, 2021" "1.46.0-DEV" "nghttp2"
 .SH NAME
 nghttp \- HTTP/2 client
 .
diff --git a/doc/nghttpd.1 b/doc/nghttpd.1
index 2458b9f1..505cf7bf 100644
--- a/doc/nghttpd.1
+++ b/doc/nghttpd.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTPD" "1" "Sep 20, 2021" "1.45.0" "nghttp2"
+.TH "NGHTTPD" "1" "Sep 23, 2021" "1.46.0-DEV" "nghttp2"
 .SH NAME
 nghttpd \- HTTP/2 server
 .
diff --git a/doc/nghttpx.1 b/doc/nghttpx.1
index ba6b8022..09d31cb0 100644
--- a/doc/nghttpx.1
+++ b/doc/nghttpx.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTPX" "1" "Sep 20, 2021" "1.45.0" "nghttp2"
+.TH "NGHTTPX" "1" "Sep 23, 2021" "1.46.0-DEV" "nghttp2"
 .SH NAME
 nghttpx \- HTTP/2 proxy
 .
@@ -1776,14 +1776,42 @@ Default: \fBcubic\fP
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-frontend\-quic\-connection\-id\-encryption\-key=<HEXSTRING>
-Specify  Connection ID  encryption key.   The encryption
-key must  be 16  bytes, and  it must  be encoded  in hex
-string  (which is  32 bytes  long).  If  this option  is
-omitted, new key is generated.  In order to survive QUIC
-connection in a configuration  reload event, old and new
-configuration must  have this option and  share the same
-key.
+.B \-\-frontend\-quic\-secret\-file=<PATH>
+Path to file that contains secure random data to be used
+as QUIC keying materials.  It is used to derive keys for
+encrypting tokens and Connection IDs.  It is not used to
+encrypt  QUIC  packets.  Each  line  of  this file  must
+contain  exactly  136  bytes  hex\-encoded  string  (when
+decoded the byte string is  68 bytes long).  The first 2
+bits of  decoded byte  string are  used to  identify the
+keying material.  An  empty line or a  line which starts
+\(aq#\(aq  is ignored.   The file  can contain  more than  one
+keying materials.  Because the  identifier is 2 bits, at
+most 4 keying materials are  read and the remaining data
+is discarded.  The first keying  material in the file is
+primarily  used for  encryption and  decryption for  new
+connection.  The other ones are used to decrypt data for
+the  existing connections.   Specifying multiple  keying
+materials enables  key rotation.   Please note  that key
+rotation  does  not  occur automatically.   User  should
+update  files  or  change  options  values  and  restart
+nghttpx gracefully.   If opening  or reading  given file
+fails, all loaded keying  materials are discarded and it
+is treated as if none of  this option is given.  If this
+option is not  given or an error  occurred while opening
+or  reading  a  file,  a keying  material  is  generated
+internally on startup and reload.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-frontend\-quic\-server\-id=<HEXSTRING>
+Specify server  ID encoded in Connection  ID to identify
+this  particular  server  instance.   Connection  ID  is
+encrypted and  this part is  not visible in  public.  It
+must be 2  bytes long and must be encoded  in hex string
+(which is 4  bytes long).  If this option  is omitted, a
+random   server  ID   is   generated   on  startup   and
+configuration reload.
 .UNINDENT
 .INDENT 0.0
 .TP
diff --git a/doc/nghttpx.1.rst b/doc/nghttpx.1.rst
index 278ae146..b5e25ee2 100644
--- a/doc/nghttpx.1.rst
+++ b/doc/nghttpx.1.rst
@@ -1620,15 +1620,42 @@ HTTP/3 and QUIC
 
     Default: ``cubic``
 
-.. option:: --frontend-quic-connection-id-encryption-key=<HEXSTRING>
+.. option:: --frontend-quic-secret-file=<PATH>
 
-    Specify  Connection ID  encryption key.   The encryption
-    key must  be 16  bytes, and  it must  be encoded  in hex
-    string  (which is  32 bytes  long).  If  this option  is
-    omitted, new key is generated.  In order to survive QUIC
-    connection in a configuration  reload event, old and new
-    configuration must  have this option and  share the same
-    key.
+    Path to file that contains secure random data to be used
+    as QUIC keying materials.  It is used to derive keys for
+    encrypting tokens and Connection IDs.  It is not used to
+    encrypt  QUIC  packets.  Each  line  of  this file  must
+    contain  exactly  136  bytes  hex-encoded  string  (when
+    decoded the byte string is  68 bytes long).  The first 2
+    bits of  decoded byte  string are  used to  identify the
+    keying material.  An  empty line or a  line which starts
+    '#'  is ignored.   The file  can contain  more than  one
+    keying materials.  Because the  identifier is 2 bits, at
+    most 4 keying materials are  read and the remaining data
+    is discarded.  The first keying  material in the file is
+    primarily  used for  encryption and  decryption for  new
+    connection.  The other ones are used to decrypt data for
+    the  existing connections.   Specifying multiple  keying
+    materials enables  key rotation.   Please note  that key
+    rotation  does  not  occur automatically.   User  should
+    update  files  or  change  options  values  and  restart
+    nghttpx gracefully.   If opening  or reading  given file
+    fails, all loaded keying  materials are discarded and it
+    is treated as if none of  this option is given.  If this
+    option is not  given or an error  occurred while opening
+    or  reading  a  file,  a keying  material  is  generated
+    internally on startup and reload.
+
+.. option:: --frontend-quic-server-id=<HEXSTRING>
+
+    Specify server  ID encoded in Connection  ID to identify
+    this  particular  server  instance.   Connection  ID  is
+    encrypted and  this part is  not visible in  public.  It
+    must be 2  bytes long and must be encoded  in hex string
+    (which is 4  bytes long).  If this option  is omitted, a
+    random   server  ID   is   generated   on  startup   and
+    configuration reload.
 
 .. option:: --no-quic-bpf