From 8c8b0ab8779255ee98e22d885f286b1b890830f0 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Wed, 27 Sep 2017 11:49:49 +0100
Subject: [PATCH] Change default Diffie-Hellman parameters from RFC 5114 to RFC
 7919

The origin of the primes in RFC 5114 is undocumented and their use therefore
constitutes a security risk.
---
 library/ssl_tls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b388156df..1ef50c244 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7538,8 +7538,8 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
             if( endpoint == MBEDTLS_SSL_IS_SERVER )
             {
                 if( ( ret = mbedtls_ssl_conf_dh_param( conf,
-                                MBEDTLS_DHM_RFC5114_MODP_2048_P,
-                                MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 )
+                               mbedtls_dhm_rfc7919_ffdhe2048_p,
+                               mbedtls_dhm_rfc7919_ffdhe2048_g ) ) != 0 )
                 {
                     return( ret );
                 }