diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2012-02-06 22:12:06 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2012-02-09 22:22:54 +0100 |
| commit | 2a699bc6e94b8223d900e8880ad628aebf17ab6d (patch) | |
| tree | 702f4ba21f3f0ff2ca28c321e28d993eb432f9fd /lib | |
| parent | 2a266c1c7c075f9faced0248ed3f870dac1fc749 (diff) | |
CURLOPT_SSL_OPTIONS: added
Allow an appliction to set libcurl specific SSL options. The first and
only options supported right now is CURLSSLOPT_ALLOW_BEAST.
It will make libcurl to disable any work-arounds the underlying SSL
library may have to address a known security flaw in the SSL3 and TLS1.0
protocol versions.
This is a reaction to us unconditionally removing that behavior after
this security advisory:
http://curl.haxx.se/docs/adv_20120124B.html
... it did however cause a lot of programs to fail because of old
servers not liking this work-around. Now programs can opt to decrease
the security in order to interoperate with old servers better.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/ssluse.c | 5 | ||||
| -rw-r--r-- | lib/url.c | 15 | ||||
| -rw-r--r-- | lib/urldata.h | 2 |
3 files changed, 16 insertions, 6 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c index 014d5b56a..c3d5ec4c7 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1566,7 +1566,10 @@ ossl_connect_step1(struct connectdata *conn, #endif #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS - ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + /* unless the user explicitly ask to allow the protocol vulnerability we + use the work-around */ + if(!conn->data->set.ssl_enable_beast) + ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; #endif /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ @@ -838,6 +838,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, { char *argptr; CURLcode result = CURLE_OK; + long arg; #ifndef CURL_DISABLE_HTTP curl_off_t bigsize; #endif @@ -847,12 +848,10 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, data->set.dns_cache_timeout = va_arg(param, long); break; case CURLOPT_DNS_USE_GLOBAL_CACHE: - { /* remember we want this enabled */ - long use_cache = va_arg(param, long); - data->set.global_dns_cache = (0 != use_cache)?TRUE:FALSE; - } - break; + arg = va_arg(param, long); + data->set.global_dns_cache = (0 != arg)?TRUE:FALSE; + break; case CURLOPT_SSL_CIPHER_LIST: /* set a list of cipher we want to use in the SSL connection */ result = setstropt(&data->set.str[STRING_SSL_CIPHER_LIST], @@ -2189,6 +2188,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, */ data->set.use_ssl = (curl_usessl)va_arg(param, long); break; + + case CURLOPT_SSL_OPTIONS: + arg = va_arg(param, long); + data->set.ssl_enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE; + break; + #endif case CURLOPT_FTPSSLAUTH: /* diff --git a/lib/urldata.h b/lib/urldata.h index a959bc716..5725ba86b 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1508,6 +1508,8 @@ struct UserDefined { bool ftp_skip_ip; /* skip the IP address the FTP server passes on to us */ bool connect_only; /* make connection, let application use the socket */ + bool ssl_enable_beast; /* especially allow this flaw for interoperability's + sake*/ long ssh_auth_types; /* allowed SSH auth types */ bool http_te_skip; /* pass the raw body data to the user, even when transfer-encoded (chunked, compressed) */ |