On Sun, 5 Feb 2012, Alessandro Ghedini wrote:
That is the same solution I have thought in response to Debian bug #658276. I was not sure about the option naming, but CURLOPT_SSL_NO_EMPTY_FRAGMENTS (and maybe --ssl-no-empty-fragments) seems the best to me.
Hi,I'm proposing changes as the attached patches show. I've not actually tried this against a live troublesome server so if you have/know any, please have a go and tell us how this behaves!
Of course other opinions and feedback would be welcome as well. -- / daniel.haxx.se
From f4c3cb5c8a877a577be3d13be31e67932e4599b9 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Mon, 6 Feb 2012 22:12:06 +0100 Subject: [PATCH 1/3] CURLOPT_SSL_NO_EMPTY_FRAGMENTS: added Tell libcurl to not send empty fragments over SSL in order to work around a security flaw in the SSL3 and TLS1.0 protocol versions. This is a reaction to us removing that behavior after this security advisory: http://curl.haxx.se/docs/adv_20120124B.html ... it did however cause a lot of programs to fail because of old servers not liking this work-around. Now programs can opt to decrease the security in order to interoperate with old servers better. --- docs/libcurl/curl_easy_setopt.3 | 7 +++++++ include/curl/curl.h | 4 ++++ lib/ssluse.c | 5 ++++- lib/url.c | 5 +++++ lib/urldata.h | 1 + 5 files changed, 21 insertions(+), 1 deletions(-) diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index d94a84b..288e417 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -2295,6 +2295,13 @@ this to 1 to enable it. By default all transfers are done using the cache. While nothing ever should get hurt by attempting to reuse SSL session-IDs, there seem to be broken SSL implementations in the wild that may require you to disable this in order for you to succeed. (Added in 7.16.0) +.IP CURLOPT_SSL_NO_EMPTY_FRAGMENTS +Pass a long set to 1 to tell libcurl to not send empty fragments over SSL in +order to work around a security flaw in the SSL3 and TLS1.0 protocols. If +this option isn't used or set to 0, the SSL layer libcurl uses may use this +work-around which is known to cause interoperability problem with some (older) +SSL implementations. WARNING: avoiding this work-around loosens the security, +and by setting this option to 1 you ask for exactly that. (Added in 7.25.0) .IP CURLOPT_KRBLEVEL Pass a char * as parameter. Set the kerberos security level for FTP; this also enables kerberos awareness. This is a string, \&'clear', \&'safe', diff --git a/include/curl/curl.h b/include/curl/curl.h index 59a5c79..cc81edc 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1499,6 +1499,10 @@ typedef enum { of miliseconds. */ CINIT(ACCEPTTIMEOUT_MS, LONG, 212), + /* Switch off the empty-fragments work-around with SSLv3/TLSv1.0 for those + SSL libraries that use it (like OpenSSL) */ + CINIT(SSL_NO_EMPTY_FRAGMENTS, LONG, 213), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; diff --git a/lib/ssluse.c b/lib/ssluse.c index 014d5b5..710f08e 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1566,7 +1566,10 @@ ossl_connect_step1(struct connectdata *conn, #endif #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS - ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + /* unless explicitly asked to not insert empty fragments, keep that + work-around enabled */ + if(!conn->data->set.ssl_no_empty_frags) + ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; #endif /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ diff --git a/lib/url.c b/lib/url.c index 466748b..e7e9d83 100644 --- a/lib/url.c +++ b/lib/url.c @@ -2175,6 +2175,11 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, */ data->set.use_ssl = (curl_usessl)va_arg(param, long); break; + + case CURLOPT_SSL_NO_EMPTY_FRAGMENTS: + data->set.ssl_no_empty_frags = va_arg(param, long)?TRUE:FALSE; + break; + #endif case CURLOPT_FTPSSLAUTH: /* diff --git a/lib/urldata.h b/lib/urldata.h index adabf5b..ec6f2e7 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1508,6 +1508,7 @@ struct UserDefined { bool ftp_skip_ip; /* skip the IP address the FTP server passes on to us */ bool connect_only; /* make connection, let application use the socket */ + bool ssl_no_empty_frags; /* don't send empty SSL fragments */ long ssh_auth_types; /* allowed SSH auth types */ bool http_te_skip; /* pass the raw body data to the user, even when transfer-encoded (chunked, compressed) */ -- 1.7.9
From f44dff73bcd1e6c51091dd97baf5fb671b3be311 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Mon, 6 Feb 2012 22:25:04 +0100 Subject: [PATCH 2/3] --ssl-no-empty-fragments added This option tells curl to not send empty fragments over SSL in order to work around a security flaw in the SSL3 and TLS1.0 protocols. It uses the CURLOPT_SSL_NO_EMPTY_FRAGMENTS libcurl option for this. --- docs/curl.1 | 7 +++++++ src/tool_cfgable.h | 4 ++-- src/tool_getparam.c | 7 ++++++- src/tool_help.c | 3 ++- src/tool_operate.c | 4 ++++ 5 files changed, 21 insertions(+), 4 deletions(-) diff --git a/docs/curl.1 b/docs/curl.1 index e92cf51..d8ae06e 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -1258,6 +1258,13 @@ connection if the server doesn't support SSL/TLS. (Added in 7.20.0) This option was formerly known as \fI--ftp-ssl-reqd\fP (added in 7.15.5). That option name can still be used but will be removed in a future version. +.IP "--ssl-no-empty-fragments" +(SSL) This option tells curl to not send empty fragments over SSL in order to +work around a security flaw in the SSL3 and TLS1.0 protocols. If this option +isn't used, the SSL layer may use this work-around which is known to cause +interoperability problems with some older SSL implementations. WARNING: +avoiding this work-around loosens the security, and by using this flag you ask +for exactly that. (Added in 7.25.0) .IP "--socks4 <host[:port]>" Use the specified SOCKS4 proxy. If the port number is not specified, it is assumed at port 1080. (Added in 7.15.2) diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h index adbb446..1b27668 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, <[email protected]>, et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, <[email protected]>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -195,7 +195,7 @@ struct Configurable { bool xattr; /* store metadata in extended attributes */ long gssapi_delegation; - + bool ssl_no_empty_frags; /* don't sent empty SSL fragments */ }; /* struct Configurable */ void free_config_fields(struct Configurable *config); diff --git a/src/tool_getparam.c b/src/tool_getparam.c index bd7375f..ab85107 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, <[email protected]>, et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, <[email protected]>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -202,6 +202,7 @@ static const struct LongShort aliases[]= { {"Ek", "tlsuser", TRUE}, {"El", "tlspassword", TRUE}, {"Em", "tlsauthtype", TRUE}, + {"En", "ssl-no-empty-fragments", FALSE}, {"f", "fail", FALSE}, {"F", "form", TRUE}, {"Fs", "form-string", TRUE}, @@ -1144,6 +1145,10 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ else return PARAM_LIBCURL_DOESNT_SUPPORT; break; + case 'n': /* no empty SSL fragments */ + if(curlinfo->features & CURL_VERSION_SSL) + config->ssl_no_empty_frags = toggle; + break; default: /* certificate file */ { char *ptr = strchr(nextarg, ':'); diff --git a/src/tool_help.c b/src/tool_help.c index 7c7d8d3..7c8fce5 100644 --- a/src/tool_help.c +++ b/src/tool_help.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, <[email protected]>, et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, <[email protected]>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -187,6 +187,7 @@ static const char *const helptext[] = { " --ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)", " -2, --sslv2 Use SSLv2 (SSL)", " -3, --sslv3 Use SSLv3 (SSL)", + " --ssl-no-empty-fragments Disable empty fragments work-around (SSL)", " --stderr FILE Where to redirect stderr. - means stdout", " --tcp-nodelay Use the TCP_NODELAY option", " -t, --telnet-option OPT=VAL Set telnet option", diff --git a/src/tool_operate.c b/src/tool_operate.c index d086ac5..f92297c 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -1204,6 +1204,10 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[]) my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION, config->gssapi_delegation); + /* new in 7.25.0 */ + if(config->ssl_no_empty_frags) + my_setopt(curl, CURLOPT_SSL_NO_EMPTY_FRAGMENTS, 1L); + /* initialize retry vars for loop below */ retry_sleep_default = (config->retry_delay) ? config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */ -- 1.7.9
From 5a80ced17948158da8871388a212a1417f38f5d1 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Mon, 6 Feb 2012 22:33:05 +0100 Subject: [PATCH 3/3] new symbol: CURLOPT_SSL_NO_EMPTY_FRAGMENTS added in 7.25.0 --- docs/libcurl/symbols-in-versions | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index 73d50a2..85af38a 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -482,6 +482,7 @@ CURLOPT_SSLVERSION 7.1 CURLOPT_SSL_CIPHER_LIST 7.9 CURLOPT_SSL_CTX_DATA 7.10.6 CURLOPT_SSL_CTX_FUNCTION 7.10.6 +CURLOPT_SSL_NO_EMPTY_FRAGMENTS 7.25.0 CURLOPT_SSL_SESSIONID_CACHE 7.16.0 CURLOPT_SSL_VERIFYHOST 7.8.1 CURLOPT_SSL_VERIFYPEER 7.4.2 -- 1.7.9
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
