CURLOPT_SSL_OPTIONS: added

Allow an appliction to set libcurl specific SSL options. The first and only options supported right now is CURLSSLOPT_ALLOW_BEAST. It will make libcurl to disable any work-arounds the underlying SSL library may have to address a known security flaw in the SSL3 and TLS1.0 protocol versions. This is a reaction to us unconditionally removing that behavior after this security advisory: http://curl.haxx.se/docs/adv_20120124B.html ... it did however cause a lot of programs to fail because of old servers not liking this work-around. Now programs can opt to decrease the security in order to interoperate with old servers better.
author: Daniel Stenberg <daniel@haxx.se> 2012-02-06 22:12:06 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2012-02-09 22:22:54 +0100
commit: 2a699bc6e94b8223d900e8880ad628aebf17ab6d (patch)
tree: 702f4ba21f3f0ff2ca28c321e28d993eb432f9fd /lib/ssluse.c
parent: 2a266c1c7c075f9faced0248ed3f870dac1fc749 (diff)
download: curl-2a699bc6e94b8223d900e8880ad628aebf17ab6d.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 014d5b56a..c3d5ec4c7 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1566,7 +1566,10 @@ ossl_connect_step1(struct connectdata *conn,
 #endif
 
 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-  ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+  /* unless the user explicitly ask to allow the protocol vulnerability we
+     use the work-around */
+  if(!conn->data->set.ssl_enable_beast)
+    ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
 #endif
 
   /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
author	Daniel Stenberg <daniel@haxx.se>	2012-02-06 22:12:06 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2012-02-09 22:22:54 +0100
commit	2a699bc6e94b8223d900e8880ad628aebf17ab6d (patch)
tree	702f4ba21f3f0ff2ca28c321e28d993eb432f9fd /lib/ssluse.c
parent	2a266c1c7c075f9faced0248ed3f870dac1fc749 (diff)
download	curl-2a699bc6e94b8223d900e8880ad628aebf17ab6d.tar.gz