cURL / Mailing Lists / curl-library / Single Mail



From: Mischa Salle <>
Date: Wed, 1 Feb 2012 11:55:43 +0100


I'd like to continue the discussion about commit

The option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is necessary to prevent a
number of (older) broken SSL implementation to lock up. Basically what
seems to happen is that they get confused about the empty fragments and
interpret them as an EOF.

With the above curl commit enabled, a curl-based client times out with
such a service.
I have seen this in a openjdk 1.6 based service on a Centos 5.7 with
On the other hand that service also uses other SSL stuff such as
not-yet-commons-ssl-0.3.9, jetty-sslengine-6.1.18 and bcprov-jdk15-1.45
which might add their own bugs.

I agree it's good to have the option removed as it is strictly speaking
a vulnerability, but the question is how to deal with all the older


Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..

List admin:

  • application/x-pkcs7-signature attachment: smime.p7s
Received on 2012-02-01