diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2012-02-06 22:12:06 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2012-02-09 22:22:54 +0100 |
| commit | 2a699bc6e94b8223d900e8880ad628aebf17ab6d (patch) | |
| tree | 702f4ba21f3f0ff2ca28c321e28d993eb432f9fd /docs/libcurl | |
| parent | 2a266c1c7c075f9faced0248ed3f870dac1fc749 (diff) | |
| download | curl-2a699bc6e94b8223d900e8880ad628aebf17ab6d.tar.gz | |
CURLOPT_SSL_OPTIONS: added
Allow an appliction to set libcurl specific SSL options. The first and
only options supported right now is CURLSSLOPT_ALLOW_BEAST.
It will make libcurl to disable any work-arounds the underlying SSL
library may have to address a known security flaw in the SSL3 and TLS1.0
protocol versions.
This is a reaction to us unconditionally removing that behavior after
this security advisory:
http://curl.haxx.se/docs/adv_20120124B.html
... it did however cause a lot of programs to fail because of old
servers not liking this work-around. Now programs can opt to decrease
the security in order to interoperate with old servers better.
Diffstat (limited to 'docs/libcurl')
| -rw-r--r-- | docs/libcurl/curl_easy_setopt.3 | 10 | ||||
| -rw-r--r-- | docs/libcurl/symbols-in-versions | 2 |
2 files changed, 12 insertions, 0 deletions
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index a7688a7d0..571fe742a 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -2313,6 +2313,16 @@ this to 1 to enable it. By default all transfers are done using the cache. While nothing ever should get hurt by attempting to reuse SSL session-IDs, there seem to be broken SSL implementations in the wild that may require you to disable this in order for you to succeed. (Added in 7.16.0) +.IP CURLOPT_SSL_OPTIONS +Pass a long with a bitmask to tell libcurl about specific SSL behaviors. + +CURLSSLOPT_ALLOW_BEAST is the only supported bit and by setting this the user +will tell libcurl to not attempt to use any work-arounds for a security flaw +in the SSL3 and TLS1.0 protocols. If this option isn't used or this bit is +set to 0, the SSL layer libcurl uses may use a work-around for this flaw +although it might cause interoperability problems with some (older) SSL +implementations. WARNING: avoiding this work-around loosens the security, and +by setting this option to 1 you ask for exactly that. (Added in 7.25.0) .IP CURLOPT_KRBLEVEL Pass a char * as parameter. Set the kerberos security level for FTP; this also enables kerberos awareness. This is a string, \&'clear', \&'safe', diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index a9f8a9d6e..010ebc6fe 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -482,6 +482,7 @@ CURLOPT_SSLVERSION 7.1 CURLOPT_SSL_CIPHER_LIST 7.9 CURLOPT_SSL_CTX_DATA 7.10.6 CURLOPT_SSL_CTX_FUNCTION 7.10.6 +CURLOPT_SSL_OPTIONS 7.25.0 CURLOPT_SSL_SESSIONID_CACHE 7.16.0 CURLOPT_SSL_VERIFYHOST 7.8.1 CURLOPT_SSL_VERIFYPEER 7.4.2 @@ -573,6 +574,7 @@ CURLSSH_AUTH_KEYBOARD 7.16.1 CURLSSH_AUTH_NONE 7.16.1 CURLSSH_AUTH_PASSWORD 7.16.1 CURLSSH_AUTH_PUBLICKEY 7.16.1 +CURLSSLOPT_ALLOW_BEAST 7.25.0 CURLUSESSL_ALL 7.17.0 CURLUSESSL_CONTROL 7.17.0 CURLUSESSL_NONE 7.17.0 |