From 2fc5995a2f995fb3a41a25374d165a23419138e6 Mon Sep 17 00:00:00 2001
From: bpartin2009 <30868857+bpartin2009@users.noreply.github.com>
Date: Fri, 20 Aug 2021 07:12:12 -0500
Subject: [PATCH] Update iostream-openssl-params.c

---
 src/lib-ssl-iostream/iostream-openssl-params.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/lib-ssl-iostream/iostream-openssl-params.c b/src/lib-ssl-iostream/iostream-openssl-params.c
index 0a256fc9fcc..49be4f4d7b8 100644
--- a/src/lib-ssl-iostream/iostream-openssl-params.c
+++ b/src/lib-ssl-iostream/iostream-openssl-params.c
@@ -45,8 +45,17 @@ int openssl_iostream_generate_params(buffer_t *output, unsigned int dh_length,
 				     const char **error_r)
 {
 	if (generate_dh_parameters(512, output, error_r) < 0)
+	unsigned int minimal_dh_size = 512;
+	#ifdef OPENSSL_FIPS
+	if (FIPS_mode() > 0) {
+		minimal_dh_size = 2048;
+		i_warning("FIPS mode detected. Setting minimum DH params size from 512 to 2048. Accepting SSL connections after first start might take longer.");
+	};
+	#endif
+	if (generate_dh_parameters(minimal_dh_size, output, error_r) < 0)
 		return -1;
 	if (dh_length != 512) {
+	if (dh_length > minimal_dh_size) {
 		if (generate_dh_parameters(dh_length, output, error_r) < 0)
 			return -1;
 	}