From b4f04c3443fe311eb0046cdf9fac05d2516fb466 Mon Sep 17 00:00:00 2001
From: Tesshu Flower <tflower@redhat.com>
Date: Fri, 10 Apr 2026 09:47:24 -0400
Subject: [PATCH] rsync-tls use TLSv1.3 as min

- use ciphers = kPSK also in stunnel.conf
  to prevent stunnel from loading all PSK ciphers (no 1.2 ciphers
  will be used anyway, but they still load at startup, and some
  ciphers will require a DH parameter regen which can cause high
  CPU load on some systems (can be very slow)

Signed-off-by: Tesshu Flower <tflower@redhat.com>
---
 mover-rsync-tls/server.sh | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/mover-rsync-tls/server.sh b/mover-rsync-tls/server.sh
index 8ea36ae88..3883de2ac 100644
--- a/mover-rsync-tls/server.sh
+++ b/mover-rsync-tls/server.sh
@@ -72,11 +72,19 @@ if [[ ! -d $TARGET ]] && ! test -b $BLOCK_TARGET; then
     exit 1
 fi
 
+SSLVERSIONMIN="sslVersionMin = TLSv1.3"
 if [[ -n ${SSL_VERSION_MIN} ]]; then
     # Append sslVersionMin to stunnel conf
     SSLVERSIONMIN="sslVersionMin = ${SSL_VERSION_MIN}"
 fi
 
+# Notes:
+# Below we are setting ciphers = kPSK in stunnel.conf as we're already going
+# to default to TLSv1.3 as the minimum.  The ciphers setting only applies to
+# TLSv1.2 and below, but with ciphers = PSK startup will still run a "per-day"
+# regeneration job that will regenerate DH parameters - we can bypass this
+# by setting ciphers = kPSK to avoid any Kx=DH ciphers.
+
 if [[ -d $TARGET ]]; then
     ##############################
     ## Filesystem volume, use rsync
@@ -134,7 +142,7 @@ socket = r:TCP_KEEPIDLE=180
 syslog = no
 
 [rsync]
-ciphers = PSK
+ciphers = kPSK
 PSKsecrets = $PSK_FILE
 $SSLVERSIONMIN
 ; Port to listen for incoming connections from remote
@@ -180,7 +188,7 @@ socket = r:TCP_KEEPIDLE=180
 syslog = no
 
 [diskrsync]
-ciphers = PSK
+ciphers = kPSK
 PSKsecrets = $PSK_FILE
 $SSLVERSIONMIN
 ; Port to listen for incoming connections from remote