|
1 --- lib/ssluse.c 2010-09-18 14:00:21.000000000 -0700 |
|
2 +++ lib/ssluse.c 2012-01-24 07:43:28.989624080 -0800 |
|
3 @@ -1428,6 +1428,7 @@ |
|
4 X509_LOOKUP *lookup=NULL; |
|
5 curl_socket_t sockfd = conn->sock[sockindex]; |
|
6 struct ssl_connect_data *connssl = &conn->ssl[sockindex]; |
|
7 + long ctx_options; |
|
8 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
|
9 bool sni; |
|
10 #ifdef ENABLE_IPV6 |
|
11 @@ -1507,16 +1508,27 @@ |
|
12 If someone writes an application with libcurl and openssl who wants to |
|
13 enable the feature, one can do this in the SSL callback. |
|
14 |
|
15 + OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability |
|
16 + (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to |
|
17 + SSL_OP_ALL that _disables_ that work-around despite the fact that |
|
18 + SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to |
|
19 + keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit |
|
20 + must not be set. |
|
21 + |
|
22 */ |
|
23 + |
|
24 + ctx_options = SSL_OP_ALL; |
|
25 + |
|
26 #ifdef SSL_OP_NO_TICKET |
|
27 /* expect older openssl releases to not have this define so only use it if |
|
28 present */ |
|
29 -#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET |
|
30 -#else |
|
31 -#define CURL_CTX_OPTIONS SSL_OP_ALL |
|
32 + ctx_options |= SSL_OP_NO_TICKET; |
|
33 +#endif |
|
34 +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
|
35 + ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; |
|
36 #endif |
|
37 |
|
38 - SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS); |
|
39 + SSL_CTX_set_options(connssl->ctx, ctx_options); |
|
40 |
|
41 /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ |
|
42 if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) |