aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/curl.16
-rw-r--r--src/tool_cfgable.h4
-rw-r--r--src/tool_getparam.c7
-rw-r--r--src/tool_help.c3
-rw-r--r--src/tool_operate.c4
5 files changed, 20 insertions, 4 deletions
diff --git a/docs/curl.1 b/docs/curl.1
index 5bc8f0df8..4520e1b18 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -1259,6 +1259,12 @@ connection if the server doesn't support SSL/TLS. (Added in 7.20.0)
This option was formerly known as \fI--ftp-ssl-reqd\fP (added in 7.15.5). That
option name can still be used but will be removed in a future version.
+.IP "--ssl-allow-beast"
+(SSL) This option tells curl to not work around a security flaw in the SSL3
+and TLS1.0 protocols known as BEAST. If this option isn't used, the SSL layer
+may use work-arounds known to cause interoperability problems with some older
+SSL implementations. WARNING: this option loosens the SSL security, and by
+using this flag you ask for exactly that. (Added in 7.25.0)
.IP "--socks4 <host[:port]>"
Use the specified SOCKS4 proxy. If the port number is not specified, it is
assumed at port 1080. (Added in 7.15.2)
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index adbb44627..6e66191ae 100644
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -7,7 +7,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -195,7 +195,7 @@ struct Configurable {
bool xattr; /* store metadata in extended attributes */
long gssapi_delegation;
-
+ bool ssl_allow_beast; /* allow this SSL vulnerability */
}; /* struct Configurable */
void free_config_fields(struct Configurable *config);
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index bd7375fd9..e65371f3e 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -202,6 +202,7 @@ static const struct LongShort aliases[]= {
{"Ek", "tlsuser", TRUE},
{"El", "tlspassword", TRUE},
{"Em", "tlsauthtype", TRUE},
+ {"En", "ssl-no-empty-fragments", FALSE},
{"f", "fail", FALSE},
{"F", "form", TRUE},
{"Fs", "form-string", TRUE},
@@ -1144,6 +1145,10 @@ ParameterError getparameter(char *flag, /* f or -long-flag */
else
return PARAM_LIBCURL_DOESNT_SUPPORT;
break;
+ case 'n': /* no empty SSL fragments */
+ if(curlinfo->features & CURL_VERSION_SSL)
+ config->ssl_allow_beast = toggle;
+ break;
default: /* certificate file */
{
char *ptr = strchr(nextarg, ':');
diff --git a/src/tool_help.c b/src/tool_help.c
index 7c7d8d315..a3e9da098 100644
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -187,6 +187,7 @@ static const char *const helptext[] = {
" --ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)",
" -2, --sslv2 Use SSLv2 (SSL)",
" -3, --sslv3 Use SSLv3 (SSL)",
+ " --ssl-allow-below Allow security flaw to improve interop (SSL)",
" --stderr FILE Where to redirect stderr. - means stdout",
" --tcp-nodelay Use the TCP_NODELAY option",
" -t, --telnet-option OPT=VAL Set telnet option",
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 1557e6256..f3fb8ef2a 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1234,6 +1234,10 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[])
my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION,
config->gssapi_delegation);
+ /* new in 7.25.0 */
+ if(config->ssl_allow_beast)
+ my_setopt(curl, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_ALLOW_BEAST);
+
/* initialize retry vars for loop below */
retry_sleep_default = (config->retry_delay) ?
config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */