From 3c86686c0a7fcf993a9976e64d01ecb971037c8e Mon Sep 17 00:00:00 2001
From: Bernie Hackett <bernie@10gen.com>
Date: Mon, 18 Mar 2019 17:27:28 -0700
Subject: [PATCH] PYTHON-1726 Disable TLS renegotiation when possible

(cherry picked from commit bb83a2608263e42fcd7e334e0ff028264adc4e29)
---
 doc/changelog.rst      | 2 +-
 pymongo/ssl_support.py | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/changelog.rst b/doc/changelog.rst
index 101fda7a6..7fe081500 100644
--- a/doc/changelog.rst
+++ b/doc/changelog.rst
@@ -22,11 +22,11 @@ Changes in Version 3.8.0.dev0
 - :meth:`gridfs.grid_file.GridOut.read` now only checks for extra chunks after
   reading the entire file. Previously, this method would check for extra
   chunks on every call.
-
 - :meth:`~pymongo.database.Database.current_op` now always uses the
   ``Database``'s  :attr:`~pymongo.database.Database.codec_options`
   when decoding the command response. Previously the codec_options
   was only used when the MongoDB server version was <= 3.0.
+- TLS Renegotiation is now disabled when possible.
 
 Issues Resolved
 ...............
diff --git a/pymongo/ssl_support.py b/pymongo/ssl_support.py
index 9eeeb4f7a..181c8b109 100644
--- a/pymongo/ssl_support.py
+++ b/pymongo/ssl_support.py
@@ -128,6 +128,8 @@ if HAVE_SSL:
             ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0)
             # OpenSSL >= 1.0.0
             ctx.options |= getattr(ssl, "OP_NO_COMPRESSION", 0)
+            # Python 3.7+ with OpenSSL >= 1.1.0h
+            ctx.options |= getattr(ssl, "OP_NO_RENEGOTIATION", 0)
         if certfile is not None:
             try:
                 if passphrase is not None: