From e530999156054929cf229e8fafab0922c6f513df Mon Sep 17 00:00:00 2001
From: Bernhard Miklautz <bernhard.miklautz@thincast.com>
Date: Thu, 15 Dec 2022 10:30:59 +0100
Subject: [PATCH] new [tls/server]: disable client side renegotiation

---
 libfreerdp/crypto/tls.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/libfreerdp/crypto/tls.c b/libfreerdp/crypto/tls.c
index 8b3901020..093710910 100644
--- a/libfreerdp/crypto/tls.c
+++ b/libfreerdp/crypto/tls.c
@@ -1006,6 +1006,17 @@ BOOL tls_accept(rdpTls* tls, BIO* underlying, rdpSettings* settings)
 	 */
 	options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
 
+	/**
+	 * SSL_OP_NO_RENEGOTIATION
+	 *
+	 * Disable SSL client site renegotiation.
+	 */
+
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x30000000L) || \
+    defined(LIBRESSL_VERSION_NUMBER)
+	options |= SSL_OP_NO_RENEGOTIATION;
+#endif
+
 	if (!tls_prepare(tls, underlying, SSLv23_server_method(), options, FALSE))
 		return FALSE;