Date: Wed, 1 Feb 2012 11:55:43 +0100
I'd like to continue the discussion about commit
The option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is necessary to prevent a
number of (older) broken SSL implementation to lock up. Basically what
seems to happen is that they get confused about the empty fragments and
interpret them as an EOF.
With the above curl commit enabled, a curl-based client times out with
such a service.
I have seen this in a openjdk 1.6 based service on a Centos 5.7 with
On the other hand that service also uses other SSL stuff such as
not-yet-commons-ssl-0.3.9, jetty-sslengine-6.1.18 and bcprov-jdk15-1.45
which might add their own bugs.
I agree it's good to have the option removed as it is strictly speaking
a vulnerability, but the question is how to deal with all the older
-- Nikhef Room H155 Science Park 105 Tel. +31-20-592 5102 1098 XG Amsterdam Fax +31-20-592 5155 The Netherlands Email msalle_at_nikhef.nl __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
- application/x-pkcs7-signature attachment: smime.p7s