On Wednesday 08 February 2012 11:37:25 Daniel Stenberg wrote: > On Tue, 7 Feb 2012, Yang Tse wrote: > > Perhaps naming it CURLOPT_SSL_OPTIONS with the bitmask style argument you > > mention would be the most flexible. > > Such a take would look like the attached patch. It accepts a bitmask with > only one defined bit so far named CURLSSLOPT_ENABLE_BEAST. > > Thoughts?
Looks good to me. I am attaching the promised patch for NSS. Kamil
From 6581fe87b65dc06b1c6eb819b2a3d8ee4fdf1813 Mon Sep 17 00:00:00 2001 From: Kamil Dudka <[email protected]> Date: Wed, 8 Feb 2012 13:36:36 +0100 Subject: [PATCH] nss: add support for the CURLSSLOPT_ENABLE_BEAST flag --- lib/nss.c | 13 +++++++++++++ 1 files changed, 13 insertions(+), 0 deletions(-) diff --git a/lib/nss.c b/lib/nss.c index f63d971..8f6da50 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -1158,6 +1158,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) PRBool ssl3 = PR_FALSE; PRBool tlsv1 = PR_FALSE; PRBool ssl_no_cache; + PRBool ssl_cbc_random_iv; struct SessionHandle *data = conn->data; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; @@ -1266,6 +1267,18 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) goto error; + ssl_cbc_random_iv = !data->set.ssl_enable_beast; +#ifdef SSL_CBC_RANDOM_IV + /* unless the user explicitly asks to allow the protocol vulnerability, we + use the work-around */ + if(SSL_OptionSet(model, SSL_CBC_RANDOM_IV, ssl_cbc_random_iv) != SECSuccess) + infof(data, "warning: failed to set SSL_CBC_RANDOM_IV = %d\n", + ssl_cbc_random_iv); +#else + if(ssl_cbc_random_iv) + infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n"); +#endif + /* reset the flag to avoid an infinite loop */ data->state.ssl_connect_retry = FALSE; -- 1.7.1
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
