From e3481ab533b6416ec3609e2873424a72ce5cdd37 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Wed, 4 Oct 2017 16:05:10 +0100
Subject: [PATCH] Improve top warning in dhm.h

---
 include/mbedtls/dhm.h | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h
index 73b69e076..479aef841 100644
--- a/include/mbedtls/dhm.h
+++ b/include/mbedtls/dhm.h
@@ -36,6 +36,14 @@
  *           primes cannot be trusted because of the possibility of backdoors
  *           that can't be effectively checked for.
  *
+ *           Diffie-Hellman-Merkle is therefore a security risk when not using
+ *           standardized primes generated using a trustworthy ("nothing up
+ *           my sleeve") method, such as the RFC 3526 / 7919 primes. In the TLS
+ *           protocol, DH parameters need to be negotiated, so using the default
+ *           primes systematically is not always an option. If possible, use
+ *           Elliptic Curve Diffie-Hellman (ECDH), which has better performance,
+ *           and for which the TLS protocol mandates the use of standard
+ *           parameters that were generated in a nothing-up-my-sleeve manner.
  *           We therefore consider DHE a security risk. If possible, it is
  *           recommended users should consider preferring other methods of
  *           key exchange.