Change wording of warnings
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index b490e33..cff9391 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -619,11 +619,11 @@
* MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
* MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
*
- * \warning The possibility for the use of custom groups
- * in the use of DHM in TLS constitutes a security
- * risk. If possible, it is recommended to use
- * EC-based key exchanges instead. See the documentation
- * at the top of dhm.h for more information.
+ * \warning Using DHE constitutes a security risk as it
+ * is not possible to validate custom DH parameters.
+ * If possible, it is recommended users should consider
+ * preferring other methods of key exchange.
+ * See dhm.h for more details.
*
*/
#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
@@ -725,11 +725,11 @@
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
* MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
*
- * \warning The possibility for the use of custom groups
- * in the use of DHM in TLS constitutes a security
- * risk. If possible, it is recommended to use
- * EC-based key exchanges instead. See the documentation
- * at the top of dhm.h for more information.
+ * \warning Using DHE constitutes a security risk as it
+ * is not possible to validate custom DH parameters.
+ * If possible, it is recommended users should consider
+ * preferring other methods of key exchange.
+ * See dhm.h for more details.
*
*/
#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
@@ -1850,11 +1850,11 @@
* This module is used by the following key exchanges:
* DHE-RSA, DHE-PSK
*
- * \warning The possibility for the use of custom groups
- * in the use of DHM in TLS constitutes a security
- * risk. If possible, it is recommended to use
- * EC-based key exchanges instead. See the documentation
- * at the top of dhm.h for more information.
+ * \warning Using DHE constitutes a security risk as it
+ * is not possible to validate custom DH parameters.
+ * If possible, it is recommended users should consider
+ * preferring other methods of key exchange.
+ * See dhm.h for more details.
*
*/
#define MBEDTLS_DHM_C
diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h
index ed39f8d..9ef8146 100644
--- a/include/mbedtls/dhm.h
+++ b/include/mbedtls/dhm.h
@@ -25,22 +25,20 @@
* of non-safe primes both decreases the difficulty of the underlying
* discrete logarithm problem and can lead to small subgroup attacks
* leaking private exponent bits when invalid public keys are used
- * and not detected. This is especially relevant if the same DHM parameters
- * are reused for multiple key exchanges as in static DHM, while the
- * criticality of small-subgroup attacks is lower for ephemeral DHM.
+ * and not detected. This is especially relevant if the same DHM
+ * parameters are reused for multiple key exchanges as in static DHM,
+ * while the criticality of small-subgroup attacks is lower for
+ * ephemeral DHM.
*
* For performance reasons, the code does neither perform primality
* nor safe primality tests, nor the expensive checks for invalid
- * subgroups.
+ * subgroups. Moreover, even if these were performed, non-standardized
+ * primes cannot be trusted because of the possibility of backdoors
+ * that can't be effectively checked for.
*
- * The possibility for the use of custom, non-safe primes in DHM
- * is a deficiency in the TLS protocol that has been adressed only
- * recently through the addition of the named group extension from
- * RFC 7919, which however is not yet implemented in Mbed TLS.
- *
- * If possible, we recommend to use elliptic curve based key
- * exchanges instead of DHM-based ones, because the former only
- * accepts standardized groups.
+ * We therefore consider DHE a security risk. If possible, it is
+ * recommended users should consider preferring other methods of
+ * key exchange.
*
*/
#ifndef MBEDTLS_DHM_H