From a98152afa41685f92ad867576cb44bda36b228d6 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Sat, 2 Sep 2017 18:09:37 +0900
Subject: ssl: use 2048-bit group in the default tmp_dh_cb

The 'keylen' parameter of the tmp_dh_callback is only meaningful when
'is_export' is non-zero. Ignore them and just return the default
2048-bit DH group.
---
 lib/openssl/ssl.rb | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb
index ec0a4537..d74b7d54 100644
--- a/lib/openssl/ssl.rb
+++ b/lib/openssl/ssl.rb
@@ -30,15 +30,6 @@ module OpenSSL
       }
 
       if defined?(OpenSSL::PKey::DH)
-        DEFAULT_1024 = OpenSSL::PKey::DH.new <<-_end_of_pem_
------BEGIN DH PARAMETERS-----
-MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
-AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR
-T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC
------END DH PARAMETERS-----
-        _end_of_pem_
-        private_constant :DEFAULT_1024
-
         DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
 -----BEGIN DH PARAMETERS-----
 MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
@@ -53,11 +44,7 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
 
         DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc:
           warn "using default DH parameters." if $VERBOSE
-          case keylen
-          when 1024 then DEFAULT_1024
-          when 2048 then DEFAULT_2048
-          else nil
-          end
+          DEFAULT_2048
         }
       end
 
-- 
cgit v1.2.3