On Wed, 1 Feb 2012, Mischa Salle wrote:
The option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is necessary to prevent a number of (older) broken SSL implementation to lock up. Basically what seems to happen is that they get confused about the empty fragments and interpret them as an EOF.
Right, and from what I hear that's one of the reasons why NSS(?) chose a different route to mitigate the problem:
http://thread.gmane.org/gmane.comp.encryption.openssl.devel/19772
I agree it's good to have the option removed as it is strictly speaking a vulnerability, but the question is how to deal with all the older servers...?
As a short term fix you can use CURLOPT_SSL_CTX_FUNCTION and set whatever option you like to openssl. And of course to complain to anyone who still run servers that can't deal with this.
As a longer term fix I could see us accepting a patch that allows a user to explicitly ask for diabling of this work-around.
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
