From 4bd018cf87681a781a2f72ac036d46c3ea1ffd99 Mon Sep 17 00:00:00 2001
From: Maximilian Fridrich <m.fridrich@commend.com>
Date: Wed, 15 May 2024 13:47:50 +0200
Subject: [PATCH] tls: allow secure TLS renegotiation

---
 src/tls/openssl/tls_tcp.c | 2 +-
 src/tls/openssl/tls_udp.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/tls/openssl/tls_tcp.c b/src/tls/openssl/tls_tcp.c
index e7fbe0be2..422343ed2 100644
--- a/src/tls/openssl/tls_tcp.c
+++ b/src/tls/openssl/tls_tcp.c
@@ -230,7 +230,7 @@ static bool recv_handler(int *err, struct mbuf *mb, bool *estab, void *arg)
 
 	if (SSL_state(tc->ssl) != SSL_ST_OK) {
 
-		if (tc->up) {
+		if (tc->up && !SSL_get_secure_renegotiation_support(tc->ssl)) {
 			*err = EPROTO;
 			return true;
 		}
diff --git a/src/tls/openssl/tls_udp.c b/src/tls/openssl/tls_udp.c
index 6a57f602e..19d31485b 100644
--- a/src/tls/openssl/tls_udp.c
+++ b/src/tls/openssl/tls_udp.c
@@ -353,7 +353,7 @@ static void conn_recv(struct tls_conn *tc, struct mbuf *mb)
 
 	if (SSL_state(tc->ssl) != SSL_ST_OK) {
 
-		if (tc->up) {
+		if (tc->up && !SSL_get_secure_renegotiation_support(tc->ssl)) {
 			conn_close(tc, EPROTO);
 			return;
 		}