diff --git a/config/config.go b/config/config.go
index e4552a4661a..d955c2cc46c 100644
--- a/config/config.go
+++ b/config/config.go
@@ -284,6 +284,7 @@ type Config struct {
 	ProxySSLMinVersion                uint16                                `json:"proxy_ssl_min_version"`
 	ProxySSLCipherSuites              []string                              `json:"proxy_ssl_ciphers"`
 	ProxyDefaultTimeout               int                                   `json:"proxy_default_timeout"`
+	ProxySSLDisableRenegotiation      bool                                  `json:"proxy_ssl_disable_renegotiation"`
 	LogLevel                          string                                `json:"log_level"`
 	Security                          SecurityConfig                        `json:"security"`
 	EnableKeyLogging                  bool                                  `json:"enable_key_logging"`
diff --git a/reverse_proxy.go b/reverse_proxy.go
index ae519be4ff6..5e5423e9ec4 100644
--- a/reverse_proxy.go
+++ b/reverse_proxy.go
@@ -470,6 +470,10 @@ func httpTransport(timeOut int, rw http.ResponseWriter, req *http.Request, p *Re
 		transport.TLSClientConfig.CipherSuites = getCipherAliases(p.TykAPISpec.Proxy.Transport.SSLCipherSuites)
 	}
 
+	if !config.Global().ProxySSLDisableRenegotiation {
+		transport.TLSClientConfig.Renegotiation = tls.RenegotiateFreelyAsClient
+	}
+
 	// Use the default unless we've modified the timout
 	if timeOut > 0 {
 		log.Debug("Setting timeout for outbound request to: ", timeOut)