Hi, I'd like to continue the discussion about commit https://github.com/bagder/curl/commit/db1a856b4f7cf6ae334fb0656b26a18eea317000
The option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is necessary to prevent a
number of (older) broken SSL implementation to lock up. Basically what
seems to happen is that they get confused about the empty fragments and
interpret them as an EOF.
With the above curl commit enabled, a curl-based client times out with
such a service.
I have seen this in a openjdk 1.6 based service on a Centos 5.7 with
java-1.6.0-openjdk{,-devel}-1.6.0.0-1.23.1.9.10.el5_7
On the other hand that service also uses other SSL stuff such as
not-yet-commons-ssl-0.3.9, jetty-sslengine-6.1.18 and bcprov-jdk15-1.45
which might add their own bugs.
I agree it's good to have the option removed as it is strictly speaking
a vulnerability, but the question is how to deal with all the older
servers...?
Mischa
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email [email protected]
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
