author | Mike Sullivan <Mike.Sullivan@Oracle.COM> |
Mon, 11 Mar 2013 10:38:09 -0700 | |
branch | s11-update |
changeset 2520 | ceec631e74d1 |
parent 677 | 07b064828047 |
permissions | -rw-r--r-- |
677
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
--- lib/ssluse.c 2010-09-18 14:00:21.000000000 -0700 |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
+++ lib/ssluse.c 2012-01-24 07:43:28.989624080 -0800 |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
@@ -1428,6 +1428,7 @@ |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
X509_LOOKUP *lookup=NULL; |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
curl_socket_t sockfd = conn->sock[sockindex]; |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
struct ssl_connect_data *connssl = &conn->ssl[sockindex]; |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
+ long ctx_options; |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
bool sni; |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
#ifdef ENABLE_IPV6 |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
@@ -1507,16 +1508,27 @@ |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
If someone writes an application with libcurl and openssl who wants to |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
enable the feature, one can do this in the SSL callback. |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
|
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
+ OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
+ (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
+ SSL_OP_ALL that _disables_ that work-around despite the fact that |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
+ SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
+ keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
+ must not be set. |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
+ |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
22 |
*/ |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
23 |
+ |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
24 |
+ ctx_options = SSL_OP_ALL; |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
25 |
+ |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
26 |
#ifdef SSL_OP_NO_TICKET |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
27 |
/* expect older openssl releases to not have this define so only use it if |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
28 |
present */ |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
29 |
-#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
30 |
-#else |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
31 |
-#define CURL_CTX_OPTIONS SSL_OP_ALL |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
32 |
+ ctx_options |= SSL_OP_NO_TICKET; |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
33 |
+#endif |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
34 |
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
35 |
+ ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
36 |
#endif |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
37 |
|
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
38 |
- SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS); |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
39 |
+ SSL_CTX_set_options(connssl->ctx, ctx_options); |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
40 |
|
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
41 |
/* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ |
07b064828047
7141450 Problem with library/curl
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
42 |
if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) |