don't allow renegotiation

which means sending a new certificate in the middle of a TLS
session.

Since the server doesn't expect this behavior, it's likely to not
work

diff --git a/src/main/tls.c b/src/main/tls.c
index 8b31227de60cba44083ede7d1377fea042952029..7286f220c688b210f0833299b5a3e2bc1da9a27d 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -4093,6 +4093,13 @@ load_ca:
 post_ca:
 #endif
 
+#ifdef SSL_OP_NO_RENEGOTIATION
+       /*
+        *      This is never useful for anything.
+        */
+       ctx_options |= SSL_OP_NO_RENEGOTIATION;
+#endif
+
        /*
         *      We never want SSLv2 or SSLv3.
         */