Change default Diffie-Hellman parameters from RFC 5114 to RFC 7919 The origin of the primes in RFC 5114 is undocumented and their use therefore constitutes a security risk.

commit: 8c8b0ab8779255ee98e22d885f286b1b890830f0 [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Wed Sep 27 11:49:49 2017 +0100
committer: Hanno Becker <hanno.becker@arm.com> Wed Sep 27 12:43:57 2017 +0100
tree: f8a00d4e44ef2591a85f73b66dc021d5ac010a8f
parent: b2bad800e4df444eacd8230d56cc6fb0f32eea82 [diff]
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b388156..1ef50c2 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -7538,8 +7538,8 @@
             if( endpoint == MBEDTLS_SSL_IS_SERVER )
             {
                 if( ( ret = mbedtls_ssl_conf_dh_param( conf,
-                                MBEDTLS_DHM_RFC5114_MODP_2048_P,
-                                MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 )
+                               mbedtls_dhm_rfc7919_ffdhe2048_p,
+                               mbedtls_dhm_rfc7919_ffdhe2048_g ) ) != 0 )
                 {
                     return( ret );
                 }
commit	8c8b0ab8779255ee98e22d885f286b1b890830f0	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Wed Sep 27 11:49:49 2017 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Wed Sep 27 12:43:57 2017 +0100
tree	f8a00d4e44ef2591a85f73b66dc021d5ac010a8f
parent	b2bad800e4df444eacd8230d56cc6fb0f32eea82 [diff]