On Tue, 7 Feb 2012, Yang Tse wrote:
Perhaps naming it CURLOPT_SSL_OPTIONS with the bitmask style argument you
mention would be the most flexible.
Such a take would look like the attached patch. It accepts a bitmask with only
one defined bit so far named CURLSSLOPT_ENABLE_BEAST.
Thoughts?
--
/ daniel.haxx.se
From 5c78e93a537c7a3bc98a11db5c69e5a97ea4797a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <dan...@haxx.se>
Date: Mon, 6 Feb 2012 22:12:06 +0100
Subject: [PATCH] CURLOPT_SSL_OPTIONS: added
Allow an appliction to set libcurl specific SSL options. The first and
only options supported right now is CURLSSLOPT_ENABLE_BEAST.
It will make libcurl to disable any work-arounds the underlying SSL
library may have to address a known security flaw in the SSL3 and TLS1.0
protocol versions.
This is a reaction to us unconditionally removing that behavior after
this security advisory:
http://curl.haxx.se/docs/adv_20120124B.html
... it did however cause a lot of programs to fail because of old
servers not liking this work-around. Now programs can opt to decrease
the security in order to interoperate with old servers better.
---
docs/libcurl/curl_easy_setopt.3 | 10 ++++++++++
include/curl/curl.h | 6 ++++++
lib/ssluse.c | 5 ++++-
lib/url.c | 15 ++++++++++-----
lib/urldata.h | 2 ++
5 files changed, 32 insertions(+), 6 deletions(-)
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index d94a84b..212a576 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -2295,6 +2295,16 @@ this to 1 to enable it. By default all transfers are done using the
cache. While nothing ever should get hurt by attempting to reuse SSL
session-IDs, there seem to be broken SSL implementations in the wild that may
require you to disable this in order for you to succeed. (Added in 7.16.0)
+.IP CURLOPT_SSL_OPTIONS
+Pass a long with a bitmask to tell libcurl about specific SSL behaviors.
+
+Starting out, CURLSSLOPT_ENABLE_BEAST is the only support bit and by setting
+this the user will tell libcurl to not attempt to use any work-arounds for a
+security flaw in the SSL3 and TLS1.0 protocols. If this option isn't used or
+this bit is set to 0, the SSL layer libcurl uses may use a work-around for
+this flaw although it might cause interoperability problems with some (older)
+SSL implementations. WARNING: avoiding this work-around loosens the security,
+and by setting this option to 1 you ask for exactly that. (Added in 7.25.0)
.IP CURLOPT_KRBLEVEL
Pass a char * as parameter. Set the kerberos security level for FTP; this also
enables kerberos awareness. This is a string, \&'clear', \&'safe',
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 59a5c79..3702e5c 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -673,6 +673,9 @@ typedef enum {
CURLUSESSL_LAST /* not an option, never use */
} curl_usessl;
+/* definition of bits for the CURLOPT_SSL_OPTIONS argument */
+#define CURLSSLOPT_ENABLE_BEAST (1<<0)
+
#ifndef CURL_NO_OLDIES /* define this to test if your app builds with all
the obsolete stuff removed! */
@@ -1499,6 +1502,9 @@ typedef enum {
of miliseconds. */
CINIT(ACCEPTTIMEOUT_MS, LONG, 212),
+ /* Enable/disable specific SSL features with a bitmask, see CURLSSLOPT_* */
+ CINIT(SSL_OPTIONS, LONG, 213),
+
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 014d5b5..c3d5ec4 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1566,7 +1566,10 @@ ossl_connect_step1(struct connectdata *conn,
#endif
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
- ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+ /* unless the user explicitly ask to allow the protocol vulnerability we
+ use the work-around */
+ if(!conn->data->set.ssl_enable_beast)
+ ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif
/* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
diff --git a/lib/url.c b/lib/url.c
index 395055f..b54f135 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -830,6 +830,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
{
char *argptr;
CURLcode result = CURLE_OK;
+ long arg;
#ifndef CURL_DISABLE_HTTP
curl_off_t bigsize;
#endif
@@ -839,12 +840,10 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
data->set.dns_cache_timeout = va_arg(param, long);
break;
case CURLOPT_DNS_USE_GLOBAL_CACHE:
- {
/* remember we want this enabled */
- long use_cache = va_arg(param, long);
- data->set.global_dns_cache = (0 != use_cache)?TRUE:FALSE;
- }
- break;
+ arg = va_arg(param, long);
+ data->set.global_dns_cache = (0 != arg)?TRUE:FALSE;
+ break;
case CURLOPT_SSL_CIPHER_LIST:
/* set a list of cipher we want to use in the SSL connection */
result = setstropt(&data->set.str[STRING_SSL_CIPHER_LIST],
@@ -2181,6 +2180,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
*/
data->set.use_ssl = (curl_usessl)va_arg(param, long);
break;
+
+ case CURLOPT_SSL_OPTIONS:
+ arg = va_arg(param, long);
+ data->set.ssl_enable_beast = arg&CURLSSLOPT_ENABLE_BEAST?TRUE:FALSE;
+ break;
+
#endif
case CURLOPT_FTPSSLAUTH:
/*
diff --git a/lib/urldata.h b/lib/urldata.h
index adabf5b..2b7f7d2 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1508,6 +1508,8 @@ struct UserDefined {
bool ftp_skip_ip; /* skip the IP address the FTP server passes on to
us */
bool connect_only; /* make connection, let application use the socket */
+ bool ssl_enable_beast; /* especially allow this flaw for interoperability's
+ sake*/
long ssh_auth_types; /* allowed SSH auth types */
bool http_te_skip; /* pass the raw body data to the user, even when
transfer-encoded (chunked, compressed) */
--
1.7.9
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
