1 --- lib/ssluse.c	2010-09-18 14:00:21.000000000 -0700

     2 +++ lib/ssluse.c	2012-01-24 07:43:28.989624080 -0800

     3 @@ -1428,6 +1428,7 @@

     4    X509_LOOKUP *lookup=NULL;

     5    curl_socket_t sockfd = conn->sock[sockindex];

     6    struct ssl_connect_data *connssl = &conn->ssl[sockindex];

     7 +  long ctx_options;

     8  #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME

     9    bool sni;

    10  #ifdef ENABLE_IPV6

    11 @@ -1507,16 +1508,27 @@

    12       If someone writes an application with libcurl and openssl who wants to

    13       enable the feature, one can do this in the SSL callback.

    14  

    15 +     OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability

    16 +     (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to

    17 +     SSL_OP_ALL that _disables_ that work-around despite the fact that

    18 +     SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to

    19 +     keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit

    20 +     must not be set.

    21 +

    22    */

    23 +

    24 +  ctx_options = SSL_OP_ALL;

    25 +

    26  #ifdef SSL_OP_NO_TICKET

    27    /* expect older openssl releases to not have this define so only use it if

    28       present */

    29 -#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET

    30 -#else

    31 -#define CURL_CTX_OPTIONS SSL_OP_ALL

    32 +  ctx_options |= SSL_OP_NO_TICKET;

    33 +#endif

    34 +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

    35 +  ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;

    36  #endif

    37  

    38 -  SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS);

    39 +  SSL_CTX_set_options(connssl->ctx, ctx_options);

    40  

    41    /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */

    42    if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)