Up default server DH params to 2048 bits

2025-01-21 21:31:11 +00:00 · 2015-07-03 17:43:06 +02:00 · 2015-07-03 17:43:06 +02:00 · 3517c20df7
parent f333174fa1
commit 3517c20df7
3 changed files with 6 additions and 4 deletions
--- a/4
+++ b/4
@ -4,7 +4,9 @@ PolarSSL ChangeLog

 Security
   * Increase the minimum size of Diffie-Hellman parameters accepted by the
-     lient to 1024 bits, to protect against Logjam attack.
+     client to 1024 bits, to protect against Logjam attack.
+   * Increase the size of default Diffie-Hellman parameters on the server to
+     2048 bits. This can be changed with ssl_set_dh_params().

 Bugfix
   * Fix thread-safety issue in the SSL debug module.
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@ -814,7 +814,7 @@ void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
 /**
 * \brief          Set the Diffie-Hellman public P and G values,
 *                 read as hexadecimal strings (server-side only)
- *                 (Default: POLARSSL_DHM_RFC5114_MODP_1024_[PG])
+ *                 (Default: POLARSSL_DHM_RFC5114_MODP_2048_[PG])
 *
 * \param ssl      SSL context
 * \param dhm_P    Diffie-Hellman-Merkle modulus
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -3075,9 +3075,9 @@ int ssl_init( ssl_context *ssl )

 #if defined(POLARSSL_DHM_C)
    if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
-                                 POLARSSL_DHM_RFC5114_MODP_1024_P) ) != 0 ||
+                                 POLARSSL_DHM_RFC5114_MODP_2048_P) ) != 0 ||
        ( ret = mpi_read_string( &ssl->dhm_G, 16,
-                                 POLARSSL_DHM_RFC5114_MODP_1024_G) ) != 0 )
+                                 POLARSSL_DHM_RFC5114_MODP_2048_G) ) != 0 )
    {
        SSL_DEBUG_RET( 1, "mpi_read_string", ret );
        return( ret );