aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/ssluse.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 3754904f4..014d5b56a 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1545,6 +1545,13 @@ ossl_connect_step1(struct connectdata *conn,
become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
CVE-2010-4180 when using previous OpenSSL versions we no longer enable
this option regardless of OpenSSL version and SSL_OP_ALL definition.
+
+ OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
+ (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
+ SSL_OP_ALL that _disables_ that work-around despite the fact that
+ SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
+ keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
+ must not be set.
*/
ctx_options = SSL_OP_ALL;
@@ -1558,6 +1565,10 @@ ossl_connect_step1(struct connectdata *conn,
ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
#endif
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+ ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+#endif
+
/* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
ctx_options |= SSL_OP_NO_SSLv2;