--ssl-allow-beast added (62d15f15) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

docs/curl.1

+6 −0

Original line number	Diff line number	Diff line
		@@ -1259,6 +1259,12 @@ connection if the server doesn't support SSL/TLS. (Added in 7.20.0)

		This option was formerly known as \fI--ftp-ssl-reqd\fP (added in 7.15.5). That
		option name can still be used but will be removed in a future version.
		.IP "--ssl-allow-beast"
		(SSL) This option tells curl to not work around a security flaw in the SSL3
		and TLS1.0 protocols known as BEAST. If this option isn't used, the SSL layer
		may use work-arounds known to cause interoperability problems with some older
		SSL implementations. WARNING: this option loosens the SSL security, and by
		using this flag you ask for exactly that. (Added in 7.25.0)
		.IP "--socks4 <host[:port]>"
		Use the specified SOCKS4 proxy. If the port number is not specified, it is
		assumed at port 1080. (Added in 7.15.2)

+2 −2

Original line number	Diff line number	Diff line
		@@ -7,7 +7,7 @@
		* \| (__\| \|_\| \| _ <\| \|___
		* \___\|\___/\|_\| \_\_____\|
		*
		* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
		* Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
		*
		* This software is licensed as described in the file COPYING, which
		* you should have received as part of this distribution. The terms
		@@ -195,7 +195,7 @@ struct Configurable {

		bool xattr; /* store metadata in extended attributes */
		long gssapi_delegation;

		bool ssl_allow_beast; /* allow this SSL vulnerability */
		}; /* struct Configurable */

		void free_config_fields(struct Configurable *config);

+6 −1

Original line number	Diff line number	Diff line
		@@ -5,7 +5,7 @@
		* \| (__\| \|_\| \| _ <\| \|___
		* \___\|\___/\|_\| \_\_____\|
		*
		* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
		* Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
		*
		* This software is licensed as described in the file COPYING, which
		* you should have received as part of this distribution. The terms
		@@ -202,6 +202,7 @@ static const struct LongShort aliases[]= {
		{"Ek", "tlsuser", TRUE},
		{"El", "tlspassword", TRUE},
		{"Em", "tlsauthtype", TRUE},
		{"En", "ssl-no-empty-fragments", FALSE},
		{"f", "fail", FALSE},
		{"F", "form", TRUE},
		{"Fs", "form-string", TRUE},
		@@ -1144,6 +1145,10 @@ ParameterError getparameter(char flag, / f or -long-flag */
		else
		return PARAM_LIBCURL_DOESNT_SUPPORT;
		break;
		case 'n': /* no empty SSL fragments */
		if(curlinfo->features & CURL_VERSION_SSL)
		config->ssl_allow_beast = toggle;
		break;
		default: /* certificate file */
		{
		char *ptr = strchr(nextarg, ':');

+2 −1

Original line number	Diff line number	Diff line
		@@ -5,7 +5,7 @@
		* \| (__\| \|_\| \| _ <\| \|___
		* \___\|\___/\|_\| \_\_____\|
		*
		* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
		* Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
		*
		* This software is licensed as described in the file COPYING, which
		* you should have received as part of this distribution. The terms
		@@ -187,6 +187,7 @@ static const char *const helptext[] = {
		" --ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)",
		" -2, --sslv2 Use SSLv2 (SSL)",
		" -3, --sslv3 Use SSLv3 (SSL)",
		" --ssl-allow-below Allow security flaw to improve interop (SSL)",
		" --stderr FILE Where to redirect stderr. - means stdout",
		" --tcp-nodelay Use the TCP_NODELAY option",
		" -t, --telnet-option OPT=VAL Set telnet option",

+4 −0

Original line number	Diff line number	Diff line
		@@ -1234,6 +1234,10 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[])
		my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION,
		config->gssapi_delegation);

		/* new in 7.25.0 */
		if(config->ssl_allow_beast)
		my_setopt(curl, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_ALLOW_BEAST);

		/* initialize retry vars for loop below */
		retry_sleep_default = (config->retry_delay) ?
		config->retry_delay1000L : RETRY_SLEEP_DEFAULT; / ms */