CURLOPT_SSL_OPTIONS: added

Allow an appliction to set libcurl specific SSL options. The first and
only options supported right now is CURLSSLOPT_ALLOW_BEAST.

It will make libcurl to disable any work-arounds the underlying SSL
library may have to address a known security flaw in the SSL3 and TLS1.0
protocol versions.

This is a reaction to us unconditionally removing that behavior after
this security advisory:

http://curl.haxx.se/docs/adv_20120124B.html

... it did however cause a lot of programs to fail because of old
servers not liking this work-around. Now programs can opt to decrease
the security in order to interoperate with old servers better.
This commit is contained in:
Daniel Stenberg 2012-02-06 22:12:06 +01:00
parent 2a266c1c7c
commit 2a699bc6e9
6 changed files with 40 additions and 6 deletions

View File

@ -2313,6 +2313,16 @@ this to 1 to enable it. By default all transfers are done using the
cache. While nothing ever should get hurt by attempting to reuse SSL
session-IDs, there seem to be broken SSL implementations in the wild that may
require you to disable this in order for you to succeed. (Added in 7.16.0)
.IP CURLOPT_SSL_OPTIONS
Pass a long with a bitmask to tell libcurl about specific SSL behaviors.
CURLSSLOPT_ALLOW_BEAST is the only supported bit and by setting this the user
will tell libcurl to not attempt to use any work-arounds for a security flaw
in the SSL3 and TLS1.0 protocols. If this option isn't used or this bit is
set to 0, the SSL layer libcurl uses may use a work-around for this flaw
although it might cause interoperability problems with some (older) SSL
implementations. WARNING: avoiding this work-around loosens the security, and
by setting this option to 1 you ask for exactly that. (Added in 7.25.0)
.IP CURLOPT_KRBLEVEL
Pass a char * as parameter. Set the kerberos security level for FTP; this also
enables kerberos awareness. This is a string, \&'clear', \&'safe',

View File

@ -482,6 +482,7 @@ CURLOPT_SSLVERSION 7.1
CURLOPT_SSL_CIPHER_LIST 7.9
CURLOPT_SSL_CTX_DATA 7.10.6
CURLOPT_SSL_CTX_FUNCTION 7.10.6
CURLOPT_SSL_OPTIONS 7.25.0
CURLOPT_SSL_SESSIONID_CACHE 7.16.0
CURLOPT_SSL_VERIFYHOST 7.8.1
CURLOPT_SSL_VERIFYPEER 7.4.2
@ -573,6 +574,7 @@ CURLSSH_AUTH_KEYBOARD 7.16.1
CURLSSH_AUTH_NONE 7.16.1
CURLSSH_AUTH_PASSWORD 7.16.1
CURLSSH_AUTH_PUBLICKEY 7.16.1
CURLSSLOPT_ALLOW_BEAST 7.25.0
CURLUSESSL_ALL 7.17.0
CURLUSESSL_CONTROL 7.17.0
CURLUSESSL_NONE 7.17.0

View File

@ -673,6 +673,15 @@ typedef enum {
CURLUSESSL_LAST /* not an option, never use */
} curl_usessl;
/* Definition of bits for the CURLOPT_SSL_OPTIONS argument: */
/* - ALLOW_BEAST tells libcurl to allow the BEAST SSL vulnerability in the
name of improving interoperability with older servers. Some SSL libraries
have introduced work-arounds for this flaw but those work-arounds sometimes
make the SSL communication fail. To regain functionality with those broken
servers, a user can this way allow the vulnerability back. */
#define CURLSSLOPT_ALLOW_BEAST (1<<0)
#ifndef CURL_NO_OLDIES /* define this to test if your app builds with all
the obsolete stuff removed! */
@ -1506,6 +1515,9 @@ typedef enum {
CINIT(TCP_KEEPIDLE, LONG, 214),
CINIT(TCP_KEEPINTVL, LONG, 215),
/* Enable/disable specific SSL features with a bitmask, see CURLSSLOPT_* */
CINIT(SSL_OPTIONS, LONG, 216),
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;

View File

@ -1566,7 +1566,10 @@ ossl_connect_step1(struct connectdata *conn,
#endif
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
/* unless the user explicitly ask to allow the protocol vulnerability we
use the work-around */
if(!conn->data->set.ssl_enable_beast)
ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif
/* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */

View File

@ -838,6 +838,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
{
char *argptr;
CURLcode result = CURLE_OK;
long arg;
#ifndef CURL_DISABLE_HTTP
curl_off_t bigsize;
#endif
@ -847,12 +848,10 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
data->set.dns_cache_timeout = va_arg(param, long);
break;
case CURLOPT_DNS_USE_GLOBAL_CACHE:
{
/* remember we want this enabled */
long use_cache = va_arg(param, long);
data->set.global_dns_cache = (0 != use_cache)?TRUE:FALSE;
}
break;
arg = va_arg(param, long);
data->set.global_dns_cache = (0 != arg)?TRUE:FALSE;
break;
case CURLOPT_SSL_CIPHER_LIST:
/* set a list of cipher we want to use in the SSL connection */
result = setstropt(&data->set.str[STRING_SSL_CIPHER_LIST],
@ -2189,6 +2188,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
*/
data->set.use_ssl = (curl_usessl)va_arg(param, long);
break;
case CURLOPT_SSL_OPTIONS:
arg = va_arg(param, long);
data->set.ssl_enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE;
break;
#endif
case CURLOPT_FTPSSLAUTH:
/*

View File

@ -1508,6 +1508,8 @@ struct UserDefined {
bool ftp_skip_ip; /* skip the IP address the FTP server passes on to
us */
bool connect_only; /* make connection, let application use the socket */
bool ssl_enable_beast; /* especially allow this flaw for interoperability's
sake*/
long ssh_auth_types; /* allowed SSH auth types */
bool http_te_skip; /* pass the raw body data to the user, even when
transfer-encoded (chunked, compressed) */