diff --git a/SOURCES/bz1870551-1-Explicitly-close-TCP-connections-after-use.patch b/SOURCES/bz1870551-1-Explicitly-close-TCP-connections-after-use.patch
new file mode 100644
index 0000000..a7e3747
--- /dev/null
+++ b/SOURCES/bz1870551-1-Explicitly-close-TCP-connections-after-use.patch
@@ -0,0 +1,29 @@
+From 4c1631fc239d2f0b8323b48e5fa95b0dc6f75f40 Mon Sep 17 00:00:00 2001
+From: Ondrej Mular <omular@redhat.com>
+Date: Wed, 7 Oct 2020 08:31:59 +0200
+Subject: [PATCH 1/2] Explicitly close TCP connections after use
+
+---
+ pcsd/pcs.rb | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/pcsd/pcs.rb b/pcsd/pcs.rb
+index 12eb3eb1..c59de37b 100644
+--- a/pcsd/pcs.rb
++++ b/pcsd/pcs.rb
+@@ -515,8 +515,11 @@ def send_request(
+   })
+   req.compose_header('Expect', '')
+   return_code = req.perform
++  response_code = req.response_code
++  response_body = req.response_body
++  req.cleanup
+   if return_code == :ok
+-    return req.response_code, req.response_body
++    return response_code, response_body
+   else
+     if is_proxy_set(ENV)
+       $logger.warn(
+-- 
+2.21.0
+
diff --git a/SOURCES/bz1888479-1-add-support-for-loading-a-DH-key-from-a-file.patch b/SOURCES/bz1888479-1-add-support-for-loading-a-DH-key-from-a-file.patch
new file mode 100644
index 0000000..1ebb223
--- /dev/null
+++ b/SOURCES/bz1888479-1-add-support-for-loading-a-DH-key-from-a-file.patch
@@ -0,0 +1,97 @@
+From f3cd02e668f94c294d685edb24a051e2451589f1 Mon Sep 17 00:00:00 2001
+From: Tomas Jelinek <tojeline@redhat.com>
+Date: Fri, 23 Oct 2020 16:37:56 +0200
+Subject: [PATCH 2/2] add support for loading a DH key from a file
+
+---
+ pcsd/pcsd.conf             |  6 +++++-
+ pcsd/rfc7919-ffdhe2048.pem |  8 ++++++++
+ pcsd/settings.rb           |  1 +
+ pcsd/ssl.rb                | 20 ++++++++++++++++++--
+ 4 files changed, 32 insertions(+), 3 deletions(-)
+ create mode 100644 pcsd/rfc7919-ffdhe2048.pem
+
+diff --git a/pcsd/pcsd.conf b/pcsd/pcsd.conf
+index 73d8b0ce..9f522353 100644
+--- a/pcsd/pcsd.conf
++++ b/pcsd/pcsd.conf
+@@ -31,7 +31,11 @@ PCSD_SESSION_LIFETIME=3600
+ # set SSL ciphers
+ #PCSD_SSL_CIPHERS='DEFAULT:!RC4:!3DES:@STRENGTH'
+ 
+-# set length (in bits) of DH key for key exchange
++# set a DH key for key exchange, this overrides PCSD_SSL_DH_KEX_BITS
++# set to an empty string to disable this option and generate a random DH key
++#PCSD_SSL_DH_KEX_FILE=/usr/lib/pcsd/rfc7919-ffdhe2048.pem
++
++# set length (in bits) of a DH key for key exchange
+ #PCSD_SSL_DH_KEX_BITS=1024
+ 
+ # Reject client initiated SSL/TLS renegotiation. Set this to true to make pcsd
+diff --git a/pcsd/rfc7919-ffdhe2048.pem b/pcsd/rfc7919-ffdhe2048.pem
+new file mode 100644
+index 00000000..9b182b72
+--- /dev/null
++++ b/pcsd/rfc7919-ffdhe2048.pem
+@@ -0,0 +1,8 @@
++-----BEGIN DH PARAMETERS-----
++MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
++ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
++-----END DH PARAMETERS-----
+diff --git a/pcsd/settings.rb b/pcsd/settings.rb
+index 3edc02b7..e7ff410d 100644
+--- a/pcsd/settings.rb
++++ b/pcsd/settings.rb
+@@ -6,6 +6,7 @@ PCSD_DEFAULT_PORT = 2224
+ CRT_FILE = PCSD_VAR_LOCATION + 'pcsd.crt'
+ KEY_FILE = PCSD_VAR_LOCATION + 'pcsd.key'
+ COOKIE_FILE = PCSD_VAR_LOCATION + 'pcsd.cookiesecret'
++DH_KEY_FILE = PCSD_EXEC_LOCATION + 'rfc7919-ffdhe2048.pem'
+ 
+ PENGINE = "/usr/libexec/pacemaker/pengine"
+ CIB_BINARY = '/usr/libexec/pacemaker/cib'
+diff --git a/pcsd/ssl.rb b/pcsd/ssl.rb
+index de356e46..5acbac37 100644
+--- a/pcsd/ssl.rb
++++ b/pcsd/ssl.rb
+@@ -157,7 +157,23 @@ dh_key_bits = 0
+ if ENV['PCSD_SSL_DH_KEX_BITS']
+   dh_key_bits = Integer(ENV['PCSD_SSL_DH_KEX_BITS']) rescue 0
+ end
+-if dh_key_bits > 0
++dh_key_file = DH_KEY_FILE
++if ENV['PCSD_SSL_DH_KEX_FILE']
++  dh_key_file = ENV['PCSD_SSL_DH_KEX_FILE']
++end
++
++dh_key = nil
++if not dh_key_file.empty?()
++  $logger.info "Using '#{dh_key_file}' as a DH key..."
++  begin
++    dh_key = OpenSSL::PKey::DH.new(File.read(dh_key_file))
++    dh_key.generate_key!
++    $logger.info "DH key loaded"
++  rescue => e
++    $logger.error "Unable to read DH key file: #{e}"
++    exit 1
++  end
++elsif dh_key_bits > 0
+   $logger.info "Generating #{dh_key_bits}bits long DH key..."
+   dh_key = OpenSSL::PKey::DH.generate(dh_key_bits)
+   $logger.info "DH key created"
+@@ -187,7 +203,7 @@ webrick_options = {
+   :SSLCertName        => [[ "CN", server_name ]],
+   :SSLOptions         => get_ssl_options(),
+ }
+-if dh_key_bits > 0
++if not dh_key.nil?()
+   webrick_options[:SSLTmpDhCallback] = lambda {|ctx, is_export, keylen| dh_key }
+ end
+ 
+-- 
+2.21.0
+
diff --git a/SPECS/pcs.spec b/SPECS/pcs.spec
index d6d54f1..357a3f8 100644
--- a/SPECS/pcs.spec
+++ b/SPECS/pcs.spec
@@ -1,6 +1,6 @@
 Name: pcs
 Version: 0.9.169
-Release: 3%{?dist}
+Release: 3%{?dist}.1
 License: GPLv2
 URL: https://github.com/ClusterLabs/pcs
 Group: System Environment/Base
@@ -64,6 +64,8 @@ Patch99: bz1459503-01-OSP-workarounds-not-compatible-wi.patch
 Patch100: change-cman-to-rhel6-in-messages.patch
 Patch101: show-only-warning-when-crm_mon-xml-is-invalid.patch
 Patch102: bz1820813-01-use-subprocess32-instead-of-subprocess.patch
+Patch103: bz1870551-1-Explicitly-close-TCP-connections-after-use.patch
+Patch104: bz1888479-1-add-support-for-loading-a-DH-key-from-a-file.patch
 
 # git for patches
 BuildRequires: git
@@ -200,6 +202,8 @@ UpdateTimestamps -p1 %{PATCH99}
 UpdateTimestamps -p1 %{PATCH100}
 UpdateTimestamps -p1 %{PATCH101}
 UpdateTimestamps -p1 %{PATCH102}
+UpdateTimestamps -p1 %{PATCH103}
+UpdateTimestamps -p1 %{PATCH104}
 
 cp -f %SOURCE1 pcsd/public/images
 
@@ -512,6 +516,12 @@ run_all_tests
 %doc pyagentx_README.md
 
 %changelog
+* Fri Nov 13 2020 Ivan Devat <idevat@redhat.com> - 0.9.169-3.el7_3.1
+- Explicitly close libcurl connections to prevent stalled TCP connections in CLOSE-WAIT state
+- Added support for loading DH keys from a file
+- Resolves: rhbz#1870551 rhbz#1888479
+
+
 * Tue Jun 18 2020 Ivan Devat <idevat@redhat.com> - 0.9.169-3
 - Added option: pcs resource [safe-]disable --simulate` has a new option `--brief` to print only a list of affected resources
 - Fixed race-condition when removing multiple resources from web UI