From f95c4d302a1856dfd48d7d253497627b61be8db1 Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@icinga.com>
Date: Fri, 24 Nov 2023 16:37:04 +0100
Subject: [PATCH] Disable TLS renegotiation if supported

The API doesn't need it and a customer's security scanner
is afraid of a potential DoS attack vector.
---
 lib/base/tlsutility.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp
index 5577bd2dd..bb0d653d0 100644
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@@ -91,6 +91,10 @@ static void InitSslContext(const Shared<boost::asio::ssl::context>::Ptr& context
 
 	flags |= SSL_OP_CIPHER_SERVER_PREFERENCE;
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	flags |= SSL_OP_NO_RENEGOTIATION;
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
+
 	SSL_CTX_set_options(sslContext, flags);
 
 	SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);