From 830f42770ec1049a4829fd3cebe575de432226af Mon Sep 17 00:00:00 2001
From: Ryan Mitchell <ryan.mitchell@textnow.com>
Date: Thu, 2 Mar 2023 09:43:19 -0800
Subject: [PATCH] ecdsa cert feature gated by global allow_ecdsa_256bit_certs

---
 src/switch_core_cert.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/switch_core_cert.c b/src/switch_core_cert.c
index 098684dbf9..09b74644a8 100644
--- a/src/switch_core_cert.c
+++ b/src/switch_core_cert.c
@@ -365,8 +365,10 @@ SWITCH_DECLARE(switch_bool_t) switch_core_check_dtls_pem(const char *file)
 	}
 
 	bits = EVP_PKEY_bits(pkey);
-	min_cert_size_bits = EVP_PKEY_EC == EVP_PKEY_id(pkey) ? 256 : 4096;
-
+	min_cert_size_bits = 4096;
+	if (switch_true(switch_core_get_variable("allow_ecdsa_256bit_certs")) && EVP_PKEY_EC == EVP_PKEY_id(pkey)) {
+	    min_cert_size_bits = 256;
+	}
 	EVP_PKEY_free(pkey);
 
 	if (bits < min_cert_size_bits) {