--- lib/ssluse.c	2010-09-18 14:00:21.000000000 -0700

+++ lib/ssluse.c	2012-01-24 07:43:28.989624080 -0800

@@ -1428,6 +1428,7 @@

   X509_LOOKUP *lookup=NULL;

   curl_socket_t sockfd = conn->sock[sockindex];

   struct ssl_connect_data *connssl = &conn->ssl[sockindex];

+  long ctx_options;

 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME

   bool sni;

 #ifdef ENABLE_IPV6

@@ -1507,16 +1508,27 @@

      If someone writes an application with libcurl and openssl who wants to

      enable the feature, one can do this in the SSL callback.

+     OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability

+     (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to

+     SSL_OP_ALL that _disables_ that work-around despite the fact that

+     SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to

+     keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit

+     must not be set.

+

   */

+

+  ctx_options = SSL_OP_ALL;

+

 #ifdef SSL_OP_NO_TICKET

   /* expect older openssl releases to not have this define so only use it if

      present */

-#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET

-#else

-#define CURL_CTX_OPTIONS SSL_OP_ALL

+  ctx_options |= SSL_OP_NO_TICKET;

+#endif

+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

+  ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;

 #endif

-  SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS);

+  SSL_CTX_set_options(connssl->ctx, ctx_options);

   /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */

   if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)