File 0002-With-OpenSSL-1.0.2-and-earlier-disable-client-side-renegotiation.patch of Package spice.19889

Subject: With OpenSSL 1.0.2 and earlier: disable client-side renegotiation.
From: Julien Ropé jrope@redhat.com Thu Dec 3 09:33:48 2020 +0100
Date: Mon Dec 7 14:43:32 2020 +0000:
Git: 95a0cfac8a1c8eff50f05e65df945da3bb501fc9

Fixed issue #49
Fixes BZ#1904459

Signed-off-by: Julien Ropé <jrope@redhat.com>
Reported-by: BlackKD
Acked-by: Frediano Ziglio <fziglio@redhat.com>

diff --git a/server/red-stream.c b/server/red-stream.c
index 420433bd..c1f0f00c 100644
--- a/server/red-stream.c
+++ b/server/red-stream.c
@@ -523,6 +523,11 @@ RedStreamSslStatus red_stream_ssl_accept(RedStream *stream)
         return RED_STREAM_SSL_STATUS_OK;
     }
 
+#ifndef SSL_OP_NO_RENEGOTIATION
+    // With OpenSSL 1.0.2 and earlier: disable client-side renogotiation
+    stream->priv->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+#endif
+
     ssl_error = SSL_get_error(stream->priv->ssl, return_code);
     if (return_code == -1 && (ssl_error == SSL_ERROR_WANT_READ ||
                               ssl_error == SSL_ERROR_WANT_WRITE)) {