Up default server DH params to 2048 bits
diff --git a/ChangeLog b/ChangeLog
index 626b141..d757010 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,7 +4,9 @@
Security
* Increase the minimum size of Diffie-Hellman parameters accepted by the
- lient to 1024 bits, to protect against Logjam attack.
+ client to 1024 bits, to protect against Logjam attack.
+ * Increase the size of default Diffie-Hellman parameters on the server to
+ 2048 bits. This can be changed with ssl_set_dh_params().
Bugfix
* Fix thread-safety issue in the SSL debug module.
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index e6cc2ad..e31b776 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -814,7 +814,7 @@
/**
* \brief Set the Diffie-Hellman public P and G values,
* read as hexadecimal strings (server-side only)
- * (Default: POLARSSL_DHM_RFC5114_MODP_1024_[PG])
+ * (Default: POLARSSL_DHM_RFC5114_MODP_2048_[PG])
*
* \param ssl SSL context
* \param dhm_P Diffie-Hellman-Merkle modulus
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 41722e8..734bc8f 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3075,9 +3075,9 @@
#if defined(POLARSSL_DHM_C)
if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
- POLARSSL_DHM_RFC5114_MODP_1024_P) ) != 0 ||
+ POLARSSL_DHM_RFC5114_MODP_2048_P) ) != 0 ||
( ret = mpi_read_string( &ssl->dhm_G, 16,
- POLARSSL_DHM_RFC5114_MODP_1024_G) ) != 0 )
+ POLARSSL_DHM_RFC5114_MODP_2048_G) ) != 0 )
{
SSL_DEBUG_RET( 1, "mpi_read_string", ret );
return( ret );