Choosing Diffie-Hellman parameters

Developers have the option to set the Diffie Hellman (DHM) parameters for SSL servers with mbedtls_ssl_conf_dh_param(). As of PolarSSL 1.2.0 this is not required anymore as default parameters are preloaded.

Default Diffie-Hellman parameters

For versions of PolarSSL and mbed TLS in the 1.2 and 1.3 branches, the Diffie-Hellman parameters are set by default to the 1024-bit MODP parameters from RFC 5114 (MBEDTLS_DHM_RFC5114_MODP_1024_P and MBEDTLS_DHM_RFC5114_MODP_1024_G). From a security perspective, it is desirable to use a larger value, unless you know you have clients for which this will cause interoperability issues. Larger values are provided in dhm.h. In mbed TLS 2.0, the default parameters are the 2048-bit MODP group from RFC 5114.

Custom parameters

Of course it's possible to set your own parameters that you have generated in a secure way. Starting with PolarSSL 1.2.15, mbed TLS 1.3.12 and the mbed TLS 2.0 branch, the example program programs/pkey/dh_genprime can be used for that. Just run dh_genprime bits=<desired size>. The resulting parameters are in dh_prime.txt; you can copy-paste them to you application code and use them as arguments to mbedtls_ssl_conf_dh_param().

Custom vs standard parameters

We used to recommend to use standard parameters rather than generating your own. However, the team of researchers behind the Logjam attack also showed than there is some risk associated with that if the parameters are not large enough. More precisely, they showed that the amount of computation required to break any number of MODP Diffie-Hellman key exchanges is very close to the amount required to break just one of them, as long as they all use the same parameters. So if your parameter size is just at the limit of what an adversary can break, using standard parameters allows the adversary to amortize the cost of the initial computation, which is not what we want.

As of this writing (July 2015), 1024 bits is considered within reach of the most powerful adversaries, and 2048 bits safe according to the public knowledge. If you absolutely must use 1024 bit parameters for compatibility with old clients, then it is highly desirable to generate your own rather that using standard parameters. If you are able to use parameters of 2048 bits or more, then you should be safe both ways.

Of course an alternative is to switch to Elliptic Curve Diffie-Hellman (ECDHE ciphersuite), which don't have this security issue and also improve performance.

Did this help?