curl-library
Re: SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS commit
Date: Thu, 2 Feb 2012 22:58:10 +0100 (CET)
On Wed, 1 Feb 2012, Mischa Salle wrote:
> The option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is necessary to prevent a
> number of (older) broken SSL implementation to lock up. Basically what seems
> to happen is that they get confused about the empty fragments and interpret
> them as an EOF.
Right, and from what I hear that's one of the reasons why NSS(?) chose a
different route to mitigate the problem:
http://thread.gmane.org/gmane.comp.encryption.openssl.devel/19772
> I agree it's good to have the option removed as it is strictly speaking a
> vulnerability, but the question is how to deal with all the older
> servers...?
As a short term fix you can use CURLOPT_SSL_CTX_FUNCTION and set whatever
option you like to openssl. And of course to complain to anyone who still run
servers that can't deal with this.
As a longer term fix I could see us accepting a patch that allows a user to
explicitly ask for diabling of this work-around.
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2012-02-02