From 2a699bc6e94b8223d900e8880ad628aebf17ab6d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 6 Feb 2012 22:12:06 +0100 Subject: CURLOPT_SSL_OPTIONS: added Allow an appliction to set libcurl specific SSL options. The first and only options supported right now is CURLSSLOPT_ALLOW_BEAST. It will make libcurl to disable any work-arounds the underlying SSL library may have to address a known security flaw in the SSL3 and TLS1.0 protocol versions. This is a reaction to us unconditionally removing that behavior after this security advisory: http://curl.haxx.se/docs/adv_20120124B.html ... it did however cause a lot of programs to fail because of old servers not liking this work-around. Now programs can opt to decrease the security in order to interoperate with old servers better. --- include/curl/curl.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'include/curl') diff --git a/include/curl/curl.h b/include/curl/curl.h index 2a9957e9c..3c9c41d8a 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -673,6 +673,15 @@ typedef enum { CURLUSESSL_LAST /* not an option, never use */ } curl_usessl; +/* Definition of bits for the CURLOPT_SSL_OPTIONS argument: */ + +/* - ALLOW_BEAST tells libcurl to allow the BEAST SSL vulnerability in the + name of improving interoperability with older servers. Some SSL libraries + have introduced work-arounds for this flaw but those work-arounds sometimes + make the SSL communication fail. To regain functionality with those broken + servers, a user can this way allow the vulnerability back. */ +#define CURLSSLOPT_ALLOW_BEAST (1<<0) + #ifndef CURL_NO_OLDIES /* define this to test if your app builds with all the obsolete stuff removed! */ @@ -1506,6 +1515,9 @@ typedef enum { CINIT(TCP_KEEPIDLE, LONG, 214), CINIT(TCP_KEEPINTVL, LONG, 215), + /* Enable/disable specific SSL features with a bitmask, see CURLSSLOPT_* */ + CINIT(SSL_OPTIONS, LONG, 216), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; -- cgit v1.2.1