Use 2048-bit DHE parameters from RFC 3526 instead of 5114 by default The parameters from RFC 5114 are not considered trustworthy, while those from RFC 3526 have been generated in a nothing-up-my-sleeve manner.

commit: 80e0d46062acdad669f45514af5393bd39f7e370 [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Fri Oct 13 16:51:54 2017 +0100
committer: Hanno Becker <hanno.becker@arm.com> Fri Oct 13 16:51:54 2017 +0100
tree: d5c6ca643b0700867cdf5f65ca0f01ded0afe61c
parent: 41a38dfed6cef8867b448ca5e01a3a7da16475df [diff] [blame]
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ba586a0..9986ddc 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -7268,8 +7268,8 @@
             if( endpoint == MBEDTLS_SSL_IS_SERVER )
             {
                 if( ( ret = mbedtls_ssl_conf_dh_param( conf,
-                                MBEDTLS_DHM_RFC5114_MODP_2048_P,
-                                MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 )
+                                MBEDTLS_DHM_RFC3526_MODP_2048_P,
+                                MBEDTLS_DHM_RFC3526_MODP_2048_G ) ) != 0 )
                 {
                     return( ret );
                 }
commit	80e0d46062acdad669f45514af5393bd39f7e370	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Fri Oct 13 16:51:54 2017 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Fri Oct 13 16:51:54 2017 +0100
tree	d5c6ca643b0700867cdf5f65ca0f01ded0afe61c
parent	41a38dfed6cef8867b448ca5e01a3a7da16475df [diff] [blame]