From d5d9bd45185b4ea2a4d7600512559326880290c9 Mon Sep 17 00:00:00 2001
From: Sara Golemon <sara.golemon@mongodb.com>
Date: Mon, 2 Aug 2021 16:14:21 +0000
Subject: SERVER-57630 Support SSL_OP_NO_REGNEGOTIATION if it's available at
 runtime

(cherry picked from commit 2d974e867061b13526750f1ff66a9fb577a96354)
---
 src/mongo/util/net/ssl_manager_openssl.cpp | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

(limited to 'src/mongo')

diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index cc0a75229fb..18f5ac36372 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -2073,8 +2073,19 @@ Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context,
         }
     }
 
-#ifdef SSL_OP_NO_RENEGOTIATION
-    options |= SSL_OP_NO_RENEGOTIATION;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+    // OpenSSL pre-1.1.0 isn't ABI compatable enough to ever work, so skip it.
+#ifndef SSL_OP_NO_RENEGOTIATION
+#define SSL_OP_NO_RENEGOTIATION 0x40000000U
+#endif
+    if (OpenSSL_version_num() >= 0x10100080) {
+        /* SSL_OP_NO_RENEGOTIATION added in 1.1.0h (0x10100080)
+         * but we might be compiling with 1.1.0(a-g).
+         * Allow this option to be specified at runtime
+         * in this specific window.
+         */
+        options |= SSL_OP_NO_RENEGOTIATION;
+    }
 #endif
 
     ::SSL_CTX_set_options(context, options);
-- 
cgit v1.2.1