mbedtls: disable Diffie-Hellman key exchange modes by default

Using these ciphers can constitute a security risk if the server
uses a weak prime for the key exchange.

Footprint impact:
Roughly 3K saved in text+rodata in default https_request example

components/mbedtls/Kconfig

@@ -426,7 +426,7 @@ menu "mbedTLS"
 
         config MBEDTLS_KEY_EXCHANGE_DHE_PSK
             bool "Enable DHE-PSK based ciphersuite modes"
-            depends on MBEDTLS_PSK_MODES
+            depends on MBEDTLS_PSK_MODES && MBEDTLS_DHM_C
             default y
             help
                 Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.
@@ -454,6 +454,7 @@ menu "mbedTLS"
         config MBEDTLS_KEY_EXCHANGE_DHE_RSA
             bool "Enable DHE-RSA based ciphersuite modes"
             default y
+            depends on MBEDTLS_DHM_C
             help
                 Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH-
 
@@ -716,6 +717,16 @@ menu "mbedTLS"
         bool  "Elliptic Curve Ciphers"
         default y
 
+    config MBEDTLS_DHM_C
+        bool "Diffie-Hellman-Merkle key exchange (DHM)"
+        default n
+        help
+            Enable DHM. Needed to use DHE-xxx TLS ciphersuites.
+
+            Note that the security of Diffie-Hellman key exchanges depends on
+            a suitable prime being used for the exchange. Please see detailed
+            warning text about this in file `mbedtls/dhm.h` file.
+
     config MBEDTLS_ECDH_C
         bool "Elliptic Curve Diffie-Hellman (ECDH)"
         depends on MBEDTLS_ECP_C