Improve top warning in dhm.h

commit: e3481ab533b6416ec3609e2873424a72ce5cdd37 [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Wed Oct 04 16:05:10 2017 +0100
committer: Hanno Becker <hanno.becker@arm.com> Wed Oct 04 16:05:10 2017 +0100
tree: 780f864b9b89541272d61ce4735d8ec5814c53b6
parent: a90658f248cc7842d1b644f62c12deb9d2b32408 [diff] [blame]
diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h
index 73b69e0..479aef8 100644
--- a/include/mbedtls/dhm.h
+++ b/include/mbedtls/dhm.h

@@ -36,6 +36,14 @@
  *           primes cannot be trusted because of the possibility of backdoors
  *           that can't be effectively checked for.
  *
+ *           Diffie-Hellman-Merkle is therefore a security risk when not using
+ *           standardized primes generated using a trustworthy ("nothing up
+ *           my sleeve") method, such as the RFC 3526 / 7919 primes. In the TLS
+ *           protocol, DH parameters need to be negotiated, so using the default
+ *           primes systematically is not always an option. If possible, use
+ *           Elliptic Curve Diffie-Hellman (ECDH), which has better performance,
+ *           and for which the TLS protocol mandates the use of standard
+ *           parameters that were generated in a nothing-up-my-sleeve manner.
  *           We therefore consider DHE a security risk. If possible, it is
  *           recommended users should consider preferring other methods of
  *           key exchange.
commit	e3481ab533b6416ec3609e2873424a72ce5cdd37	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Wed Oct 04 16:05:10 2017 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Wed Oct 04 16:05:10 2017 +0100
tree	780f864b9b89541272d61ce4735d8ec5814c53b6
parent	a90658f248cc7842d1b644f62c12deb9d2b32408 [diff] [blame]