From 948e622f6feeea245f8fdff124db79b6e38ee0e8 Mon Sep 17 00:00:00 2001
From: Taras Tsiura <taras.tsiura@textnow.com>
Date: Wed, 8 Sep 2021 16:17:50 +0300
Subject: [PATCH] Let FS use shorter (at least 256 bits) ECC certificates.

---
 src/include/switch_ssl.h | 1 +
 src/switch_core_cert.c   | 7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/include/switch_ssl.h b/src/include/switch_ssl.h
index f31888b57b..29170c864d 100644
--- a/src/include/switch_ssl.h
+++ b/src/include/switch_ssl.h
@@ -47,6 +47,7 @@
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/bio.h>
+#include <crypto/evp/evp.h>
 
 SWITCH_DECLARE(int) switch_core_cert_extract_fingerprint(X509* x509, dtls_fingerprint_t *fp);
 
diff --git a/src/switch_core_cert.c b/src/switch_core_cert.c
index 565f548e51..40f1076eb9 100644
--- a/src/switch_core_cert.c
+++ b/src/switch_core_cert.c
@@ -336,6 +336,7 @@ SWITCH_DECLARE(switch_bool_t) switch_core_check_dtls_pem(const char *file)
 	FILE *fp = NULL;
 	EVP_PKEY *pkey = NULL;
 	int bits = 0;
+	int min_cert_size_bits = 0;
 
 	if (switch_is_file_path(file)) {
 		pem = strdup(file);
@@ -364,10 +365,12 @@ SWITCH_DECLARE(switch_bool_t) switch_core_check_dtls_pem(const char *file)
 	}
 
 	bits = EVP_PKEY_bits(pkey);
+	min_cert_size_bits = EVP_PKEY_EC == pkey->type ? 256 : 4096;
 	EVP_PKEY_free(pkey);
 
-	if (bits < 4096) {
-		switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "%s cryptographic length is too short (%d), it will be regenerated\n", pem, bits);
+	if (bits < min_cert_size_bits) {
+		switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "%s cryptographic length is too short (%d, < %d), it will be regenerated\n",
+			pem, bits, min_cert_size_bits);
 		goto rename_pem;
 	}