From e3d0fd6d468fbbdd0265e09bec118d450d553512 Mon Sep 17 00:00:00 2001
From: Koichiro IWAO <meta@vmeta.jp>
Date: Sat, 3 Mar 2018 12:17:27 +0900
Subject: [PATCH] common: temporarily disable DHE

until make it possible to use generated DH parameters per installation.
---
 common/ssl_calls.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/common/ssl_calls.c b/common/ssl_calls.c
index ccc0e70c..9347e411 100644
--- a/common/ssl_calls.c
+++ b/common/ssl_calls.c
@@ -492,6 +492,7 @@ see also
  * https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
  * https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_tmp_dh_callback(3)
 */
+#if 0 /* temprarily disable DHE until make DH parameters not static */
 DH *get_dh2236()
 {
     static unsigned char dh2236_p[] = {
@@ -538,6 +539,7 @@ DH *get_dh2236()
     }
     return dh;
 }
+#endif
 
 /*****************************************************************************/
 struct ssl_tls *
@@ -646,6 +648,7 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols,
                      SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
                      SSL_MODE_ENABLE_PARTIAL_WRITE);
     SSL_CTX_set_options(self->ctx, options);
+#if 0 /* temprarily disable DHE until make DH parameters not static */
     DH *dh = get_dh2236();
     if (SSL_CTX_set_tmp_dh(self->ctx, dh) != 1)
     {
@@ -653,6 +656,7 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols,
         return 1;
     }
     DH_free(dh);
+#endif
 #if defined(SSL_CTX_set_ecdh_auto)
     SSL_CTX_set_ecdh_auto(self->ctx, 1);
 #endif