diff options
-rw-r--r-- | docs/curl.1 | 6 | ||||
-rw-r--r-- | src/tool_cfgable.h | 4 | ||||
-rw-r--r-- | src/tool_getparam.c | 7 | ||||
-rw-r--r-- | src/tool_help.c | 3 | ||||
-rw-r--r-- | src/tool_operate.c | 4 |
5 files changed, 20 insertions, 4 deletions
diff --git a/docs/curl.1 b/docs/curl.1 index 5bc8f0df8..4520e1b18 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -1259,6 +1259,12 @@ connection if the server doesn't support SSL/TLS. (Added in 7.20.0) This option was formerly known as \fI--ftp-ssl-reqd\fP (added in 7.15.5). That option name can still be used but will be removed in a future version. +.IP "--ssl-allow-beast" +(SSL) This option tells curl to not work around a security flaw in the SSL3 +and TLS1.0 protocols known as BEAST. If this option isn't used, the SSL layer +may use work-arounds known to cause interoperability problems with some older +SSL implementations. WARNING: this option loosens the SSL security, and by +using this flag you ask for exactly that. (Added in 7.25.0) .IP "--socks4 <host[:port]>" Use the specified SOCKS4 proxy. If the port number is not specified, it is assumed at port 1080. (Added in 7.15.2) diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h index adbb44627..6e66191ae 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -195,7 +195,7 @@ struct Configurable { bool xattr; /* store metadata in extended attributes */ long gssapi_delegation; - + bool ssl_allow_beast; /* allow this SSL vulnerability */ }; /* struct Configurable */ void free_config_fields(struct Configurable *config); diff --git a/src/tool_getparam.c b/src/tool_getparam.c index bd7375fd9..e65371f3e 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -202,6 +202,7 @@ static const struct LongShort aliases[]= { {"Ek", "tlsuser", TRUE}, {"El", "tlspassword", TRUE}, {"Em", "tlsauthtype", TRUE}, + {"En", "ssl-no-empty-fragments", FALSE}, {"f", "fail", FALSE}, {"F", "form", TRUE}, {"Fs", "form-string", TRUE}, @@ -1144,6 +1145,10 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ else return PARAM_LIBCURL_DOESNT_SUPPORT; break; + case 'n': /* no empty SSL fragments */ + if(curlinfo->features & CURL_VERSION_SSL) + config->ssl_allow_beast = toggle; + break; default: /* certificate file */ { char *ptr = strchr(nextarg, ':'); diff --git a/src/tool_help.c b/src/tool_help.c index 7c7d8d315..a3e9da098 100644 --- a/src/tool_help.c +++ b/src/tool_help.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -187,6 +187,7 @@ static const char *const helptext[] = { " --ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)", " -2, --sslv2 Use SSLv2 (SSL)", " -3, --sslv3 Use SSLv3 (SSL)", + " --ssl-allow-below Allow security flaw to improve interop (SSL)", " --stderr FILE Where to redirect stderr. - means stdout", " --tcp-nodelay Use the TCP_NODELAY option", " -t, --telnet-option OPT=VAL Set telnet option", diff --git a/src/tool_operate.c b/src/tool_operate.c index 1557e6256..f3fb8ef2a 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -1234,6 +1234,10 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[]) my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION, config->gssapi_delegation); + /* new in 7.25.0 */ + if(config->ssl_allow_beast) + my_setopt(curl, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_ALLOW_BEAST); + /* initialize retry vars for loop below */ retry_sleep_default = (config->retry_delay) ? config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */ |