PYTHON-1726 Disable TLS renegotiation when possible

behackett · behackett · commit bb83a2608263 · 2019-03-19T11:19:50.000-07:00
diff --git a/doc/changelog.rst b/doc/changelog.rst
@@ -66,11 +66,11 @@ Changes in Version 3.8.0.dev0
 - :meth:`gridfs.grid_file.GridOut.read` now only checks for extra chunks after
   reading the entire file. Previously, this method would check for extra
   chunks on every call.
-
 - :meth:`~pymongo.database.Database.current_op` now always uses the
   ``Database``'s  :attr:`~pymongo.database.Database.codec_options`
   when decoding the command response. Previously the codec_options
   was only used when the MongoDB server version was <= 3.0.
+- TLS Renegotiation is now disabled when possible.
 
 Issues Resolved
 ...............
diff --git a/pymongo/ssl_support.py b/pymongo/ssl_support.py
@@ -137,6 +137,8 @@ def get_ssl_context(*args):
             ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0)
             # OpenSSL >= 1.0.0
             ctx.options |= getattr(ssl, "OP_NO_COMPRESSION", 0)
+            # Python 3.7+ with OpenSSL >= 1.1.0h
+            ctx.options |= getattr(ssl, "OP_NO_RENEGOTIATION", 0)
         if certfile is not None:
             try:
                 if passphrase is not None:
