cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS commit

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 2 Feb 2012 22:58:10 +0100 (CET)

On Wed, 1 Feb 2012, Mischa Salle wrote:

> The option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is necessary to prevent a
> number of (older) broken SSL implementation to lock up. Basically what seems
> to happen is that they get confused about the empty fragments and interpret
> them as an EOF.

Right, and from what I hear that's one of the reasons why NSS(?) chose a
different route to mitigate the problem:

http://thread.gmane.org/gmane.comp.encryption.openssl.devel/19772

> I agree it's good to have the option removed as it is strictly speaking a
> vulnerability, but the question is how to deal with all the older
> servers...?

As a short term fix you can use CURLOPT_SSL_CTX_FUNCTION and set whatever
option you like to openssl. And of course to complain to anyone who still run
servers that can't deal with this.

As a longer term fix I could see us accepting a patch that allows a user to
explicitly ask for diabling of this work-around.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2012-02-02