Change the default for DynamicDHGroups to 0

This feature can make Tor relays less identifiable by their use of the
mod_ssl DH group, but at the cost of some usability (#4721) and bridge
tracing (#6087) regressions.

We should try to turn this on by default again if we find that the
mod_ssl group is uncommon and/or we move to a different DH group size
(see #6088).  Before we can do so, we need a fix for bugs #6087 and

Resolves ticket #5598 for now.

changes/bug5598

@@ -0,0 +1,5 @@
+  o Changed defaults:
+    - Change the default value for DynamicDHGroups to 0. This feature can
+      make Tor relays less identifiable by their use of the mod_ssl DH
+      group, but at the cost of some usability (#4721) and bridge tracing
+      (#6087) regressions. Resolves ticket #5598.

doc/tor.1.txt

@@ -266,7 +266,7 @@ Other options can be specified either on the command-line (--option
     If this option is set to 1, when running as a server, generate our
     own Diffie-Hellman group instead of using the one from Apache's mod_ssl.
     This option may help circumvent censorship based on static
-    Diffie-Hellman parameters. (Default: 1).
+    Diffie-Hellman parameters. (Default: 0).
 
 **AlternateDirAuthority** [__nickname__] [**flags**] __address__:__port__ __fingerprint__ +
 

src/or/config.c

@@ -257,7 +257,7 @@ static config_var_t _option_vars[] = {
   V(DisableAllSwap,              BOOL,     "0"),
   V(DisableDebuggerAttachment,   BOOL,     "1"),
   V(DisableIOCP,                 BOOL,     "1"),
-  V(DynamicDHGroups,             BOOL,     "1"),
+  V(DynamicDHGroups,             BOOL,     "0"),
   V(DNSPort,                     LINELIST, NULL),
   V(DNSListenAddress,            LINELIST, NULL),
   V(DownloadExtraInfo,           BOOL,     "0"),