diff --git a/ChangeLog b/ChangeLog
index ea41611aaf..ee2fc46c67 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,9 @@ Security
      Reported by Marco Macchetti, Kudelski Group.
    * Wipe stack buffer temporarily holding EC private exponent
      after keypair generation.
+   * Change default choice of DHE parameters from untrustworthy RFC 5114
+     to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
+     manner.
 
 Features
    * Allow comments in test data files.
diff --git a/include/polarssl/dhm.h b/include/polarssl/dhm.h
index 8d64a5f913..e8ea1725c8 100644
--- a/include/polarssl/dhm.h
+++ b/include/polarssl/dhm.h
@@ -55,6 +55,12 @@
  *  RFC 3526 4.    3072-bit MODP Group
  *  RFC 5114 2.1.  1024-bit MODP Group with 160-bit Prime Order Subgroup
  *  RFC 5114 2.2.  2048-bit MODP Group with 224-bit Prime Order Subgroup
+ *
+ * \warning The primes from RFC 5114 do not come together with information
+ *          on how they were generated and are therefore not considered
+ *          trustworthy. It is recommended to avoid them and to use the
+ *          nothing-up-my-sleeve primes from RFC 3526 instead.
+ *
  */
 #define POLARSSL_DHM_RFC2409_MODP_1024_P               \
     "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 855872b4fc..aa478e2f32 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3711,9 +3711,9 @@ int ssl_init( ssl_context *ssl )
 
 #if defined(POLARSSL_DHM_C)
     if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
-                                 POLARSSL_DHM_RFC5114_MODP_2048_P) ) != 0 ||
+                                 POLARSSL_DHM_RFC3526_MODP_2048_P) ) != 0 ||
         ( ret = mpi_read_string( &ssl->dhm_G, 16,
-                                 POLARSSL_DHM_RFC5114_MODP_2048_G) ) != 0 )
+                                 POLARSSL_DHM_RFC3526_MODP_2048_G) ) != 0 )
     {
         SSL_DEBUG_RET( 1, "mpi_read_string", ret );
         return( ret );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index b99aeb6a04..2e76efef2f 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1598,8 +1598,8 @@ int main( int argc, char *argv[] )
         ret = ssl_set_dh_param_ctx( &ssl, &dhm );
     else
 #endif
-        ret = ssl_set_dh_param( &ssl, POLARSSL_DHM_RFC5114_MODP_2048_P,
-                                      POLARSSL_DHM_RFC5114_MODP_2048_G );
+        ret = ssl_set_dh_param( &ssl, POLARSSL_DHM_RFC3526_MODP_2048_P,
+                                      POLARSSL_DHM_RFC3526_MODP_2048_G );
 
     if( ret != 0 )
     {
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index c027bc048d..567e73fddb 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2331,7 +2331,7 @@ run_test    "DHM parameters: reference" \
                     debug_level=3" \
             0 \
             -c "value of 'DHM: P ' (2048 bits)" \
-            -c "value of 'DHM: G ' (2048 bits)"
+            -c "value of 'DHM: G ' (2 bits)"
 
 run_test    "DHM parameters: other parameters" \
             "$P_SRV dhm_file=data_files/dhparams.pem" \