Up default server DHM size to 2048 bits

This commit is contained in:
Manuel Pégourié-Gonnard 2015-07-03 17:45:57 +02:00
parent f0dd045bbe
commit f0f399d66c
3 changed files with 6 additions and 3 deletions

View file

@ -5,6 +5,9 @@ mbed TLS ChangeLog (Sorted per branch, date)
Security
* Increase the minimum size of Diffie-Hellman parameters accepted by the
client to 1024 bits, to protect against Logjam attack.
* Increase the size of default Diffie-Hellman parameters on the server to
2048 bits. This can be changed with ssl_set_dh_params().
Bugfix
* Fix thread-safety issue in SSL debug module (found by Edwin van Vliet).

View file

@ -1327,7 +1327,7 @@ void ssl_set_psk_cb( ssl_context *ssl,
/**
* \brief Set the Diffie-Hellman public P and G values,
* read as hexadecimal strings (server-side only)
* (Default: POLARSSL_DHM_RFC5114_MODP_1024_[PG])
* (Default: POLARSSL_DHM_RFC5114_MODP_2048_[PG])
*
* \param ssl SSL context
* \param dhm_P Diffie-Hellman-Merkle modulus

View file

@ -3618,9 +3618,9 @@ int ssl_init( ssl_context *ssl )
#if defined(POLARSSL_DHM_C)
if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
POLARSSL_DHM_RFC5114_MODP_1024_P) ) != 0 ||
POLARSSL_DHM_RFC5114_MODP_2048_P) ) != 0 ||
( ret = mpi_read_string( &ssl->dhm_G, 16,
POLARSSL_DHM_RFC5114_MODP_1024_G) ) != 0 )
POLARSSL_DHM_RFC5114_MODP_2048_G) ) != 0 )
{
SSL_DEBUG_RET( 1, "mpi_read_string", ret );
return( ret );