From f0f399d66c241ddbbad8e1bad387eb0d829a5765 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 3 Jul 2015 17:45:57 +0200 Subject: [PATCH] Up default server DHM size to 2048 bits --- ChangeLog | 3 +++ include/polarssl/ssl.h | 2 +- library/ssl_tls.c | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 45c26e8cf..5e6932c6e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,9 @@ mbed TLS ChangeLog (Sorted per branch, date) Security * Increase the minimum size of Diffie-Hellman parameters accepted by the client to 1024 bits, to protect against Logjam attack. + * Increase the size of default Diffie-Hellman parameters on the server to + 2048 bits. This can be changed with ssl_set_dh_params(). + Bugfix * Fix thread-safety issue in SSL debug module (found by Edwin van Vliet). diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index f82d4fcce..9c6a0c5b0 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -1327,7 +1327,7 @@ void ssl_set_psk_cb( ssl_context *ssl, /** * \brief Set the Diffie-Hellman public P and G values, * read as hexadecimal strings (server-side only) - * (Default: POLARSSL_DHM_RFC5114_MODP_1024_[PG]) + * (Default: POLARSSL_DHM_RFC5114_MODP_2048_[PG]) * * \param ssl SSL context * \param dhm_P Diffie-Hellman-Merkle modulus diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f079adc45..b8fb50715 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3618,9 +3618,9 @@ int ssl_init( ssl_context *ssl ) #if defined(POLARSSL_DHM_C) if( ( ret = mpi_read_string( &ssl->dhm_P, 16, - POLARSSL_DHM_RFC5114_MODP_1024_P) ) != 0 || + POLARSSL_DHM_RFC5114_MODP_2048_P) ) != 0 || ( ret = mpi_read_string( &ssl->dhm_G, 16, - POLARSSL_DHM_RFC5114_MODP_1024_G) ) != 0 ) + POLARSSL_DHM_RFC5114_MODP_2048_G) ) != 0 ) { SSL_DEBUG_RET( 1, "mpi_read_string", ret ); return( ret );