diff --git a/SOURCES/0007-OpenSSL-1.0.2-disable-client-side-renegotiation.patch b/SOURCES/0007-OpenSSL-1.0.2-disable-client-side-renegotiation.patch
new file mode 100644
index 0000000..96d6f4f
--- /dev/null
+++ b/SOURCES/0007-OpenSSL-1.0.2-disable-client-side-renegotiation.patch
@@ -0,0 +1,38 @@
+From 95a0cfac8a1c8eff50f05e65df945da3bb501fc9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com>
+Date: Thu, 3 Dec 2020 09:33:48 +0100
+Subject: [PATCH] With OpenSSL 1.0.2 and earlier: disable client-side
+ renegotiation.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixed issue #49
+Fixes BZ#1904459
+
+Signed-off-by: Julien Ropé <jrope@redhat.com>
+Reported-by: BlackKD
+Acked-by: Frediano Ziglio <fziglio@redhat.com>
+---
+ server/red-stream.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/server/red-stream.cpp b/server/red-stream.cpp
+index 420433bd..c1f0f00c 100644
+--- a/server/red-stream.c
++++ b/server/red-stream.c
+@@ -523,6 +523,11 @@ RedStreamSslStatus red_stream_ssl_accept(RedStream *stream)
+ return RED_STREAM_SSL_STATUS_OK;
+ }
+
++#ifndef SSL_OP_NO_RENEGOTIATION
++ // With OpenSSL 1.0.2 and earlier: disable client-side renogotiation
++ stream->priv->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
++#endif
++
+ ssl_error = SSL_get_error(stream->priv->ssl, return_code);
+ if (return_code == -1 && (ssl_error == SSL_ERROR_WANT_READ ||
+ ssl_error == SSL_ERROR_WANT_WRITE)) {
+--
+2.29.2
+
diff --git a/SOURCES/0008-OpenSSL-1.1-disable-client-side-renegotiation.patch b/SOURCES/0008-OpenSSL-1.1-disable-client-side-renegotiation.patch
new file mode 100644
index 0000000..cfd6cd1
--- /dev/null
+++ b/SOURCES/0008-OpenSSL-1.1-disable-client-side-renegotiation.patch
@@ -0,0 +1,36 @@
+From ca5bbc5692e052159bce1a75f55dc60b36078749 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com>
+Date: Wed, 2 Dec 2020 13:39:27 +0100
+Subject: [PATCH 1/2] With OpenSSL 1.1: Disable client-initiated renegotiation.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes issue #49
+Fixes BZ#1904459
+
+Signed-off-by: Julien Ropé <jrope@redhat.com>
+Reported-by: BlackKD
+Acked-by: Frediano Ziglio <fziglio@redhat.com>
+---
+ server/reds.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/server/reds.cpp b/server/reds.cpp
+index fe69508e..f61086cb 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -2862,6 +2862,10 @@ static int reds_init_ssl(RedsState *reds)
+ * When some other SSL/TLS version becomes obsolete, add it to this
+ * variable. */
+ long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1;
++#ifdef SSL_OP_NO_RENEGOTIATION
++ // With OpenSSL 1.1: Disable all renegotiation in TLSv1.2 and earlier
++ ssl_options |= SSL_OP_NO_RENEGOTIATION;
++#endif
+
+ /* Global system initialization*/
+ openssl_global_init();
+--
+2.29.2
+
diff --git a/SPECS/spice.spec b/SPECS/spice.spec
index 3556483..f1c1dd8 100644
--- a/SPECS/spice.spec
+++ b/SPECS/spice.spec
@@ -1,6 +1,6 @@
Name: spice
Version: 0.14.3
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Implements the SPICE protocol
Group: User Interface/Desktops
License: LGPLv2+
@@ -15,6 +15,8 @@ Patch4: 0004-quic-Avoid-possible-buffer-overflow-in-find_bucket.patch
Patch5: 0005-websocket-Fix-possible-integer-overflow.patch
Patch6: 0006-test-websocket-check-setsockopt-return-value.patch
+Patch7: 0007-OpenSSL-1.0.2-disable-client-side-renegotiation.patch
+Patch8: 0008-OpenSSL-1.1-disable-client-side-renegotiation.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=613529
%if 0%{?rhel} && 0%{?rhel} <= 7
@@ -112,6 +114,10 @@ mkdir -p %{buildroot}%{_libexecdir}
%changelog
+* Tue Jan 19 2021 Julien Ropé <jrope@redhat.com> - 0.14.3-4
+- Disable client-side renegotiation to prevent potential DoS
+ Resolves: rhbz#1904459
+
* Wed Jun 17 2020 Uri Lublin <uril@redhat.com> - 0.14.3-3
- Fix some static analyzer issues
- Removed Obsoletes line for spice-client