Up default server DH params to 2048 bits

3 files changed, 6 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index 626b141..d757010 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,7 +4,9 @@ PolarSSL ChangeLog
 
 Security
    * Increase the minimum size of Diffie-Hellman parameters accepted by the
-     lient to 1024 bits, to protect against Logjam attack.
+     client to 1024 bits, to protect against Logjam attack.
+   * Increase the size of default Diffie-Hellman parameters on the server to
+     2048 bits. This can be changed with ssl_set_dh_params().
 
 Bugfix
    * Fix thread-safety issue in the SSL debug module.
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index e6cc2ad..e31b776 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -814,7 +814,7 @@ void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
 /**
  * \brief          Set the Diffie-Hellman public P and G values,
  *                 read as hexadecimal strings (server-side only)
- *                 (Default: POLARSSL_DHM_RFC5114_MODP_1024_[PG])
+ *                 (Default: POLARSSL_DHM_RFC5114_MODP_2048_[PG])
  *
  * \param ssl      SSL context
  * \param dhm_P    Diffie-Hellman-Merkle modulus
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 41722e8..734bc8f 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3075,9 +3075,9 @@ int ssl_init( ssl_context *ssl )
 
 #if defined(POLARSSL_DHM_C)
     if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
-                                 POLARSSL_DHM_RFC5114_MODP_1024_P) ) != 0 ||
+                                 POLARSSL_DHM_RFC5114_MODP_2048_P) ) != 0 ||
         ( ret = mpi_read_string( &ssl->dhm_G, 16,
-                                 POLARSSL_DHM_RFC5114_MODP_1024_G) ) != 0 )
+                                 POLARSSL_DHM_RFC5114_MODP_2048_G) ) != 0 )
     {
         SSL_DEBUG_RET( 1, "mpi_read_string", ret );
         return( ret );