Disable renegotiation (#35444)

Disable renegotiation for TLS
This option was added in OpenSSL 1.1.1, thus why it is inside of the include guards.

https://github.com/grpc/grpc/issues/35368

Closes #35444

COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/35444 from gtcooke94:disable_renegotiation 715533c90c1cd06ea96d08fe3039b5a849d22453
PiperOrigin-RevId: 597653469

1 files changed, 6 insertions, 0 deletions

diff --git a/src/core/tsi/ssl_transport_security.cc b/src/core/tsi/ssl_transport_security.cc
index f85080be2b..4f3919319c 100644
--- a/src/core/tsi/ssl_transport_security.cc
+++ b/src/core/tsi/ssl_transport_security.cc
@@ -2075,6 +2075,9 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options(
 #else
   ssl_context = SSL_CTX_new(TLSv1_2_method());
 #endif
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+  SSL_CTX_set_options(ssl_context, SSL_OP_NO_RENEGOTIATION);
+#endif
   if (ssl_context == nullptr) {
     grpc_core::LogSslErrorStack();
     gpr_log(GPR_ERROR, "Could not create ssl context.");
@@ -2290,6 +2293,9 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
 #else
       impl->ssl_contexts[i] = SSL_CTX_new(TLSv1_2_method());
 #endif
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+      SSL_CTX_set_options(impl->ssl_contexts[i], SSL_OP_NO_RENEGOTIATION);
+#endif
       if (impl->ssl_contexts[i] == nullptr) {
         grpc_core::LogSslErrorStack();
         gpr_log(GPR_ERROR, "Could not create ssl context.");