From ebf31389927dd1f514c0a7092a6ba52ad003ad95 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 8 Feb 2012 13:36:36 +0100 Subject: [PATCH] nss: add support for the CURLSSLOPT_ALLOW_BEAST option ... and fix some typos from the 62d15f1 commit. --- lib/nss.c | 13 +++++++++++++ src/tool_getparam.c | 2 +- src/tool_help.c | 2 +- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/lib/nss.c b/lib/nss.c index f63d9718b..8f6da50ea 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -1158,6 +1158,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) PRBool ssl3 = PR_FALSE; PRBool tlsv1 = PR_FALSE; PRBool ssl_no_cache; + PRBool ssl_cbc_random_iv; struct SessionHandle *data = conn->data; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; @@ -1266,6 +1267,18 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) goto error; + ssl_cbc_random_iv = !data->set.ssl_enable_beast; +#ifdef SSL_CBC_RANDOM_IV + /* unless the user explicitly asks to allow the protocol vulnerability, we + use the work-around */ + if(SSL_OptionSet(model, SSL_CBC_RANDOM_IV, ssl_cbc_random_iv) != SECSuccess) + infof(data, "warning: failed to set SSL_CBC_RANDOM_IV = %d\n", + ssl_cbc_random_iv); +#else + if(ssl_cbc_random_iv) + infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n"); +#endif + /* reset the flag to avoid an infinite loop */ data->state.ssl_connect_retry = FALSE; diff --git a/src/tool_getparam.c b/src/tool_getparam.c index e65371f3e..c8519c201 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -202,7 +202,7 @@ static const struct LongShort aliases[]= { {"Ek", "tlsuser", TRUE}, {"El", "tlspassword", TRUE}, {"Em", "tlsauthtype", TRUE}, - {"En", "ssl-no-empty-fragments", FALSE}, + {"En", "ssl-allow-beast", FALSE}, {"f", "fail", FALSE}, {"F", "form", TRUE}, {"Fs", "form-string", TRUE}, diff --git a/src/tool_help.c b/src/tool_help.c index a3e9da098..77b6df546 100644 --- a/src/tool_help.c +++ b/src/tool_help.c @@ -187,7 +187,7 @@ static const char *const helptext[] = { " --ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)", " -2, --sslv2 Use SSLv2 (SSL)", " -3, --sslv3 Use SSLv3 (SSL)", - " --ssl-allow-below Allow security flaw to improve interop (SSL)", + " --ssl-allow-beast Allow security flaw to improve interop (SSL)", " --stderr FILE Where to redirect stderr. - means stdout", " --tcp-nodelay Use the TCP_NODELAY option", " -t, --telnet-option OPT=VAL Set telnet option",