CURLOPT_SSL_OPTIONS: added (2a699bc6) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

docs/libcurl/curl_easy_setopt.3

+10 −0

Original line number	Diff line number	Diff line
		@@ -2313,6 +2313,16 @@ this to 1 to enable it. By default all transfers are done using the
		cache. While nothing ever should get hurt by attempting to reuse SSL
		session-IDs, there seem to be broken SSL implementations in the wild that may
		require you to disable this in order for you to succeed. (Added in 7.16.0)
		.IP CURLOPT_SSL_OPTIONS
		Pass a long with a bitmask to tell libcurl about specific SSL behaviors.

		CURLSSLOPT_ALLOW_BEAST is the only supported bit and by setting this the user
		will tell libcurl to not attempt to use any work-arounds for a security flaw
		in the SSL3 and TLS1.0 protocols. If this option isn't used or this bit is
		set to 0, the SSL layer libcurl uses may use a work-around for this flaw
		although it might cause interoperability problems with some (older) SSL
		implementations. WARNING: avoiding this work-around loosens the security, and
		by setting this option to 1 you ask for exactly that. (Added in 7.25.0)
		.IP CURLOPT_KRBLEVEL
		Pass a char * as parameter. Set the kerberos security level for FTP; this also
		enables kerberos awareness. This is a string, \&'clear', \&'safe',

+2 −0

+12 −0

Original line number	Diff line number	Diff line
		@@ -673,6 +673,15 @@ typedef enum {
		CURLUSESSL_LAST /* not an option, never use */
		} curl_usessl;

		/* Definition of bits for the CURLOPT_SSL_OPTIONS argument: */

		/* - ALLOW_BEAST tells libcurl to allow the BEAST SSL vulnerability in the
		name of improving interoperability with older servers. Some SSL libraries
		have introduced work-arounds for this flaw but those work-arounds sometimes
		make the SSL communication fail. To regain functionality with those broken
		servers, a user can this way allow the vulnerability back. */
		#define CURLSSLOPT_ALLOW_BEAST (1<<0)

		#ifndef CURL_NO_OLDIES /* define this to test if your app builds with all
		the obsolete stuff removed! */

		@@ -1506,6 +1515,9 @@ typedef enum {
		CINIT(TCP_KEEPIDLE, LONG, 214),
		CINIT(TCP_KEEPINTVL, LONG, 215),

		/* Enable/disable specific SSL features with a bitmask, see CURLSSLOPT_* */
		CINIT(SSL_OPTIONS, LONG, 216),

		CURLOPT_LASTENTRY /* the last unused */
		} CURLoption;

+4 −1

Original line number	Diff line number	Diff line
		@@ -1566,6 +1566,9 @@ ossl_connect_step1(struct connectdata *conn,
		#endif

		#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
		/* unless the user explicitly ask to allow the protocol vulnerability we
		use the work-around */
		if(!conn->data->set.ssl_enable_beast)
		ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
		#endif

+10 −5

Original line number	Diff line number	Diff line
		@@ -838,6 +838,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
		{
		char *argptr;
		CURLcode result = CURLE_OK;
		long arg;
		#ifndef CURL_DISABLE_HTTP
		curl_off_t bigsize;
		#endif
		@@ -847,11 +848,9 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
		data->set.dns_cache_timeout = va_arg(param, long);
		break;
		case CURLOPT_DNS_USE_GLOBAL_CACHE:
		{
		/* remember we want this enabled */
		long use_cache = va_arg(param, long);
		data->set.global_dns_cache = (0 != use_cache)?TRUE:FALSE;
		}
		arg = va_arg(param, long);
		data->set.global_dns_cache = (0 != arg)?TRUE:FALSE;
		break;
		case CURLOPT_SSL_CIPHER_LIST:
		/* set a list of cipher we want to use in the SSL connection */
		@@ -2189,6 +2188,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
		*/
		data->set.use_ssl = (curl_usessl)va_arg(param, long);
		break;

		case CURLOPT_SSL_OPTIONS:
		arg = va_arg(param, long);
		data->set.ssl_enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE;
		break;

		#endif
		case CURLOPT_FTPSSLAUTH:
		/*