Up default server DHM size to 2048 bits
diff --git a/ChangeLog b/ChangeLog
index 45c26e8..5e6932c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,9 @@
Security
* Increase the minimum size of Diffie-Hellman parameters accepted by the
client to 1024 bits, to protect against Logjam attack.
+ * Increase the size of default Diffie-Hellman parameters on the server to
+ 2048 bits. This can be changed with ssl_set_dh_params().
+
Bugfix
* Fix thread-safety issue in SSL debug module (found by Edwin van Vliet).
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index f82d4fc..9c6a0c5 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -1327,7 +1327,7 @@
/**
* \brief Set the Diffie-Hellman public P and G values,
* read as hexadecimal strings (server-side only)
- * (Default: POLARSSL_DHM_RFC5114_MODP_1024_[PG])
+ * (Default: POLARSSL_DHM_RFC5114_MODP_2048_[PG])
*
* \param ssl SSL context
* \param dhm_P Diffie-Hellman-Merkle modulus
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index f079adc..b8fb507 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3618,9 +3618,9 @@
#if defined(POLARSSL_DHM_C)
if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
- POLARSSL_DHM_RFC5114_MODP_1024_P) ) != 0 ||
+ POLARSSL_DHM_RFC5114_MODP_2048_P) ) != 0 ||
( ret = mpi_read_string( &ssl->dhm_G, 16,
- POLARSSL_DHM_RFC5114_MODP_1024_G) ) != 0 )
+ POLARSSL_DHM_RFC5114_MODP_2048_G) ) != 0 )
{
SSL_DEBUG_RET( 1, "mpi_read_string", ret );
return( ret );