From 3254abb3f30a051761eac1c03a236015fcd44cf9 Mon Sep 17 00:00:00 2001
From: Tomas Jelinek <tojeline@redhat.com>
Date: Thu, 17 Oct 2019 11:52:30 +0200
Subject: [PATCH 1/5] do not generate custom DH key unless requested

---
 pcsd/ssl.rb | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/pcsd/ssl.rb b/pcsd/ssl.rb
index c71aad08..de356e46 100644
--- a/pcsd/ssl.rb
+++ b/pcsd/ssl.rb
@@ -153,14 +153,15 @@ else
   end
 end
 
-dh_key_bits_default = 1024
-dh_key_bits = dh_key_bits_default
+dh_key_bits = 0
 if ENV['PCSD_SSL_DH_KEX_BITS']
-  dh_key_bits = Integer(ENV['PCSD_SSL_DH_KEX_BITS']) rescue dh_key_bits_default
+  dh_key_bits = Integer(ENV['PCSD_SSL_DH_KEX_BITS']) rescue 0
+end
+if dh_key_bits > 0
+  $logger.info "Generating #{dh_key_bits}bits long DH key..."
+  dh_key = OpenSSL::PKey::DH.generate(dh_key_bits)
+  $logger.info "DH key created"
 end
-$logger.info "Generating #{dh_key_bits}bits long DH key..."
-dh_key = OpenSSL::PKey::DH.generate(dh_key_bits)
-$logger.info "DH key created"
 
 default_bind = true
 # see https://github.com/ClusterLabs/pcs/issues/51
@@ -185,8 +186,10 @@ webrick_options = {
   :SSLPrivateKey      => OpenSSL::PKey::RSA.new(key),
   :SSLCertName        => [[ "CN", server_name ]],
   :SSLOptions         => get_ssl_options(),
-  :SSLTmpDhCallback   => lambda {|ctx, is_export, keylen| dh_key},
 }
+if dh_key_bits > 0
+  webrick_options[:SSLTmpDhCallback] = lambda {|ctx, is_export, keylen| dh_key }
+end
 
 server = ::Rack::Handler::WEBrick
 trap(:INT) do
-- 
2.21.0