SERVER-57630 Support SSL_OP_NO_REGNEGOTIATION if it's available at runtime

(cherry picked from commit 2d974e867061b13526750f1ff66a9fb577a96354)
author: Sara Golemon <sara.golemon@mongodb.com> 2021-08-02 16:14:21 +0000
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2021-08-11 17:52:52 +0000
commit: d5d9bd45185b4ea2a4d7600512559326880290c9 (patch)
tree: e285c1c33189fc3a49aa987f4eb5bbe51f1db2db /src/mongo
parent: 51463ed9e3fca4667c72d82be539c061e7bed63e (diff)
download: mongo-d5d9bd45185b4ea2a4d7600512559326880290c9.tar.gz
1 files changed, 13 insertions, 2 deletions
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index cc0a75229fb..18f5ac36372 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -2073,8 +2073,19 @@ Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context,
         }
     }
 
-#ifdef SSL_OP_NO_RENEGOTIATION
-    options |= SSL_OP_NO_RENEGOTIATION;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+    // OpenSSL pre-1.1.0 isn't ABI compatable enough to ever work, so skip it.
+#ifndef SSL_OP_NO_RENEGOTIATION
+#define SSL_OP_NO_RENEGOTIATION 0x40000000U
+#endif
+    if (OpenSSL_version_num() >= 0x10100080) {
+        /* SSL_OP_NO_RENEGOTIATION added in 1.1.0h (0x10100080)
+         * but we might be compiling with 1.1.0(a-g).
+         * Allow this option to be specified at runtime
+         * in this specific window.
+         */
+        options |= SSL_OP_NO_RENEGOTIATION;
+    }
 #endif
 
     ::SSL_CTX_set_options(context, options);
author	Sara Golemon <sara.golemon@mongodb.com>	2021-08-02 16:14:21 +0000
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2021-08-11 17:52:52 +0000
commit	d5d9bd45185b4ea2a4d7600512559326880290c9 (patch)
tree	e285c1c33189fc3a49aa987f4eb5bbe51f1db2db /src/mongo
parent	51463ed9e3fca4667c72d82be539c061e7bed63e (diff)
download	mongo-d5d9bd45185b4ea2a4d7600512559326880290c9.tar.gz