SERVER-57630 Support SSL_OP_NO_REGNEGOTIATION if it's available at runtime

author: Sara Golemon <sara.golemon@mongodb.com> 2021-08-02 16:14:21 +0000
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2021-08-02 21:42:41 +0000
commit: 2d974e867061b13526750f1ff66a9fb577a96354 (patch)
tree: 10c96855a9a2376a0086c86fa21becf9ad94d198 /src/mongo/util
parent: 07147779c17af8b5c83c128101730c3d8a1d22f6 (diff)
download: mongo-2d974e867061b13526750f1ff66a9fb577a96354.tar.gz
1 files changed, 13 insertions, 2 deletions
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 94c7823c6ce..94e82ba7710 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -2279,8 +2279,19 @@ Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context,
         }
     }
 
-#ifdef SSL_OP_NO_RENEGOTIATION
-    options |= SSL_OP_NO_RENEGOTIATION;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+    // OpenSSL pre-1.1.0 isn't ABI compatable enough to ever work, so skip it.
+#ifndef SSL_OP_NO_RENEGOTIATION
+#define SSL_OP_NO_RENEGOTIATION 0x40000000U
+#endif
+    if (OpenSSL_version_num() >= 0x10100080) {
+        /* SSL_OP_NO_RENEGOTIATION added in 1.1.0h (0x10100080)
+         * but we might be compiling with 1.1.0(a-g).
+         * Allow this option to be specified at runtime
+         * in this specific window.
+         */
+        options |= SSL_OP_NO_RENEGOTIATION;
+    }
 #endif
 
     ::SSL_CTX_set_options(context, options);
author	Sara Golemon <sara.golemon@mongodb.com>	2021-08-02 16:14:21 +0000
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2021-08-02 21:42:41 +0000
commit	2d974e867061b13526750f1ff66a9fb577a96354 (patch)
tree	10c96855a9a2376a0086c86fa21becf9ad94d198 /src/mongo/util
parent	07147779c17af8b5c83c128101730c3d8a1d22f6 (diff)
download	mongo-2d974e867061b13526750f1ff66a9fb577a96354.tar.gz