From bf4db6468291a61967781dc0c2a694ff2208c256 Mon Sep 17 00:00:00 2001
From: Gregory Cooke <gregorycooke@google.com>
Date: Thu, 11 Jan 2024 14:21:47 -0800
Subject: Disable renegotiation (#35444)

Disable renegotiation for TLS
This option was added in OpenSSL 1.1.1, thus why it is inside of the include guards.

https://github.com/grpc/grpc/issues/35368

Closes #35444

COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/35444 from gtcooke94:disable_renegotiation 715533c90c1cd06ea96d08fe3039b5a849d22453
PiperOrigin-RevId: 597653469
---
 src/core/tsi/ssl_transport_security.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/core/tsi/ssl_transport_security.cc b/src/core/tsi/ssl_transport_security.cc
index f85080be2b..4f3919319c 100644
--- a/src/core/tsi/ssl_transport_security.cc
+++ b/src/core/tsi/ssl_transport_security.cc
@@ -2074,6 +2074,9 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options(
   ssl_context = SSL_CTX_new(TLS_method());
 #else
   ssl_context = SSL_CTX_new(TLSv1_2_method());
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+  SSL_CTX_set_options(ssl_context, SSL_OP_NO_RENEGOTIATION);
 #endif
   if (ssl_context == nullptr) {
     grpc_core::LogSslErrorStack();
@@ -2289,6 +2292,9 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
       impl->ssl_contexts[i] = SSL_CTX_new(TLS_method());
 #else
       impl->ssl_contexts[i] = SSL_CTX_new(TLSv1_2_method());
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+      SSL_CTX_set_options(impl->ssl_contexts[i], SSL_OP_NO_RENEGOTIATION);
 #endif
       if (impl->ssl_contexts[i] == nullptr) {
         grpc_core::LogSslErrorStack();
-- 
cgit v1.2.3