curl-library
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS commit
Date: Wed, 1 Feb 2012 11:55:43 +0100
Hi,
I'd like to continue the discussion about commit
https://github.com/bagder/curl/commit/db1a856b4f7cf6ae334fb0656b26a18eea317000
The option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is necessary to prevent a
number of (older) broken SSL implementation to lock up. Basically what
seems to happen is that they get confused about the empty fragments and
interpret them as an EOF.
With the above curl commit enabled, a curl-based client times out with
such a service.
I have seen this in a openjdk 1.6 based service on a Centos 5.7 with
java-1.6.0-openjdk{,-devel}-1.6.0.0-1.23.1.9.10.el5_7
On the other hand that service also uses other SSL stuff such as
not-yet-commons-ssl-0.3.9, jetty-sslengine-6.1.18 and bcprov-jdk15-1.45
which might add their own bugs.
I agree it's good to have the option removed as it is strictly speaking
a vulnerability, but the question is how to deal with all the older
servers...?
Mischa
-- Nikhef Room H155 Science Park 105 Tel. +31-20-592 5102 1098 XG Amsterdam Fax +31-20-592 5155 The Netherlands Email msalle_at_nikhef.nl __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
- application/x-pkcs7-signature attachment: smime.p7s