From e87ac5a79c7ff680563770bc4a14e93ab875ed30 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Wed, 29 May 2019 11:47:18 +0100
Subject: [PATCH] Disable TLS renegotiation.

Client initiated renegotiation is considered to be a potential attack
vector against servers.

Closes #1257. Thanks to Daniele Sluijters.
---
 ChangeLog.txt | 2 ++
 src/net.c     | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 33504027..5be7af28 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -20,6 +20,8 @@ Broker:
   writing. Closes #1290.
 - Fix persistent Websockets clients not receiving messages after they
   reconnect, having sent DISCONNECT on a previous session. Closes #1227.
+- Disable TLS renegotiation. Client initiated renegotiation is considered to
+  be a potential attack vector against servers. Closes #1257.
 
 Client library:
 - Fix typo causing build error on Windows when building without TLS support.
diff --git a/src/net.c b/src/net.c
index 495f8b2f..0b57558c 100644
--- a/src/net.c
+++ b/src/net.c
@@ -368,6 +368,10 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
 #endif
 #endif
 
+#ifdef SSL_OP_NO_RENEGOTIATION
+	SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_RENEGOTIATION);
+#endif
+
 	snprintf(buf, 256, "mosquitto-%d", listener->port);
 	SSL_CTX_set_session_id_context(listener->ssl_ctx, (unsigned char *)buf, strlen(buf));