From a238cf040a93a29d231d95176bed11ec841c0796 Mon Sep 17 00:00:00 2001
From: Marvin Scholz <epirat07@gmail.com>
Date: Sat, 8 May 2021 17:06:01 +0200
Subject: [PATCH] Fix: Disable TLSv1.2 renegotiation

It had already issues in the past and there occured again an
issue with it in OpenSSL recently (CVE-2021-3449).

Other projects like nginx and apache httpd disable renegotiation
too and I do not really see any benefit supporting it for Icecast,
as its uses seems rather obscure.
---
 src/tls.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/tls.c b/src/tls.c
index 379000d9..8e85342a 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -91,6 +91,11 @@ tls_ctx_t *tls_ctx_new(const char *cert_file, const char *key_file, const char *
     SSL_CTX_set_min_proto_version(ctx->ctx, TLS1_VERSION);
 #endif
 
+#ifdef SSL_OP_NO_RENEGOTIATION
+    // Disable TLSv1.2 renegotiation
+    ssl_opts |= SSL_OP_NO_RENEGOTIATION;
+#endif
+
 #ifdef SSL_OP_NO_COMPRESSION
     ssl_opts |= SSL_OP_NO_COMPRESSION;             // Never use compression
 #endif