Only bother with dynamic DH moduli if we are a bridge.

1 files changed, 18 insertions, 14 deletions

diff --git a/src/or/config.c b/src/or/config.c
index d403decb18..a846ca9079 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -1363,22 +1363,26 @@ options_act(const or_options_t *old_options)
   }
 
   /* If needed, generate a new TLS DH prime according to the current torrc. */
-  if (!old_options) {
-    if (options->DynamicDHGroups) {
-      char *fname = get_datadir_fname2("keys", "dynamic_dh_modulus");
-      crypto_set_tls_dh_prime(fname);
-      tor_free(fname);
+  if (server_mode(options) && options->BridgeRelay) {
+    if (!old_options) {
+      if (options->DynamicDHGroups) {
+        char *fname = get_datadir_fname2("keys", "dynamic_dh_modulus");
+        crypto_set_tls_dh_prime(fname);
+        tor_free(fname);
+      } else {
+        crypto_set_tls_dh_prime(NULL);
+      }
     } else {
-      crypto_set_tls_dh_prime(NULL);
-    }
-  } else {
-    if (options->DynamicDHGroups && !old_options->DynamicDHGroups) {
-      char *fname = get_datadir_fname2("keys", "dynamic_dh_modulus");
-      crypto_set_tls_dh_prime(fname);
-      tor_free(fname);
-    } else if (!options->DynamicDHGroups && old_options->DynamicDHGroups) {
-      crypto_set_tls_dh_prime(NULL);
+      if (options->DynamicDHGroups && !old_options->DynamicDHGroups) {
+        char *fname = get_datadir_fname2("keys", "dynamic_dh_modulus");
+        crypto_set_tls_dh_prime(fname);
+        tor_free(fname);
+      } else if (!options->DynamicDHGroups && old_options->DynamicDHGroups) {
+        crypto_set_tls_dh_prime(NULL);
+      }
     }
+  } else { /* clients don't need a dynamic DH prime. */
+    crypto_set_tls_dh_prime(NULL);
   }
 
   /* We want to reinit keys as needed before we do much of anything else: