CURLOPT_SSL_OPTIONS: added

Allow an appliction to set libcurl specific SSL options. The first and
only options supported right now is CURLSSLOPT_ALLOW_BEAST.

It will make libcurl to disable any work-arounds the underlying SSL
library may have to address a known security flaw in the SSL3 and TLS1.0
protocol versions.

This is a reaction to us unconditionally removing that behavior after
this security advisory:

http://curl.haxx.se/docs/adv_20120124B.html

... it did however cause a lot of programs to fail because of old
servers not liking this work-around. Now programs can opt to decrease
the security in order to interoperate with old servers better.

1 files changed, 12 insertions, 0 deletions

diff --git a/include/curl/curl.h b/include/curl/curl.h
index 2a9957e9c..3c9c41d8a 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -673,6 +673,15 @@ typedef enum {
   CURLUSESSL_LAST     /* not an option, never use */
 } curl_usessl;
 
+/* Definition of bits for the CURLOPT_SSL_OPTIONS argument: */
+
+/* - ALLOW_BEAST tells libcurl to allow the BEAST SSL vulnerability in the
+   name of improving interoperability with older servers. Some SSL libraries
+   have introduced work-arounds for this flaw but those work-arounds sometimes
+   make the SSL communication fail. To regain functionality with those broken
+   servers, a user can this way allow the vulnerability back. */
+#define CURLSSLOPT_ALLOW_BEAST (1<<0)
+
 #ifndef CURL_NO_OLDIES /* define this to test if your app builds with all
                           the obsolete stuff removed! */
 
@@ -1506,6 +1515,9 @@ typedef enum {
   CINIT(TCP_KEEPIDLE, LONG, 214),
   CINIT(TCP_KEEPINTVL, LONG, 215),
 
+  /* Enable/disable specific SSL features with a bitmask, see CURLSSLOPT_* */
+  CINIT(SSL_OPTIONS, LONG, 216),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;