From 3254abb3f30a051761eac1c03a236015fcd44cf9 Mon Sep 17 00:00:00 2001
From: Tomas Jelinek <tojeline@redhat.com>
Date: Thu, 17 Oct 2019 11:52:30 +0200
Subject: [PATCH 1/5] do not generate custom DH key unless requested
---
pcsd/ssl.rb | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/pcsd/ssl.rb b/pcsd/ssl.rb
index c71aad08..de356e46 100644
--- a/pcsd/ssl.rb
+++ b/pcsd/ssl.rb
@@ -153,14 +153,15 @@ else
end
end
-dh_key_bits_default = 1024
-dh_key_bits = dh_key_bits_default
+dh_key_bits = 0
if ENV['PCSD_SSL_DH_KEX_BITS']
- dh_key_bits = Integer(ENV['PCSD_SSL_DH_KEX_BITS']) rescue dh_key_bits_default
+ dh_key_bits = Integer(ENV['PCSD_SSL_DH_KEX_BITS']) rescue 0
+end
+if dh_key_bits > 0
+ $logger.info "Generating #{dh_key_bits}bits long DH key..."
+ dh_key = OpenSSL::PKey::DH.generate(dh_key_bits)
+ $logger.info "DH key created"
end
-$logger.info "Generating #{dh_key_bits}bits long DH key..."
-dh_key = OpenSSL::PKey::DH.generate(dh_key_bits)
-$logger.info "DH key created"
default_bind = true
# see https://github.com/ClusterLabs/pcs/issues/51
@@ -185,8 +186,10 @@ webrick_options = {
:SSLPrivateKey => OpenSSL::PKey::RSA.new(key),
:SSLCertName => [[ "CN", server_name ]],
:SSLOptions => get_ssl_options(),
- :SSLTmpDhCallback => lambda {|ctx, is_export, keylen| dh_key},
}
+if dh_key_bits > 0
+ webrick_options[:SSLTmpDhCallback] = lambda {|ctx, is_export, keylen| dh_key }
+end
server = ::Rack::Handler::WEBrick
trap(:INT) do
--
2.21.0