Commit 62d15f15 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

--ssl-allow-beast added

This new option tells curl to not work around a security flaw in the
SSL3 and TLS1.0 protocols. It uses the new libcurl option
CURLOPT_SSL_OPTIONS with the CURLSSLOPT_ALLOW_BEAST bit set.
parent 2a699bc6
Loading
Loading
Loading
Loading
+6 −0
Original line number Original line Diff line number Diff line
@@ -1259,6 +1259,12 @@ connection if the server doesn't support SSL/TLS. (Added in 7.20.0)


This option was formerly known as \fI--ftp-ssl-reqd\fP (added in 7.15.5). That
This option was formerly known as \fI--ftp-ssl-reqd\fP (added in 7.15.5). That
option name can still be used but will be removed in a future version.
option name can still be used but will be removed in a future version.
.IP "--ssl-allow-beast"
(SSL) This option tells curl to not work around a security flaw in the SSL3
and TLS1.0 protocols known as BEAST.  If this option isn't used, the SSL layer
may use work-arounds known to cause interoperability problems with some older
SSL implementations. WARNING: this option loosens the SSL security, and by
using this flag you ask for exactly that.  (Added in 7.25.0)
.IP "--socks4 <host[:port]>"
.IP "--socks4 <host[:port]>"
Use the specified SOCKS4 proxy. If the port number is not specified, it is
Use the specified SOCKS4 proxy. If the port number is not specified, it is
assumed at port 1080. (Added in 7.15.2)
assumed at port 1080. (Added in 7.15.2)
+2 −2
Original line number Original line Diff line number Diff line
@@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *                             \___|\___/|_| \_\_____|
 *
 *
 * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
 * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 *
 * This software is licensed as described in the file COPYING, which
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * you should have received as part of this distribution. The terms
@@ -195,7 +195,7 @@ struct Configurable {


  bool xattr;               /* store metadata in extended attributes */
  bool xattr;               /* store metadata in extended attributes */
  long gssapi_delegation;
  long gssapi_delegation;

  bool ssl_allow_beast;     /* allow this SSL vulnerability */
}; /* struct Configurable */
}; /* struct Configurable */


void free_config_fields(struct Configurable *config);
void free_config_fields(struct Configurable *config);
+6 −1
Original line number Original line Diff line number Diff line
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *                             \___|\___/|_| \_\_____|
 *
 *
 * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
 * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 *
 * This software is licensed as described in the file COPYING, which
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * you should have received as part of this distribution. The terms
@@ -202,6 +202,7 @@ static const struct LongShort aliases[]= {
  {"Ek", "tlsuser",                  TRUE},
  {"Ek", "tlsuser",                  TRUE},
  {"El", "tlspassword",              TRUE},
  {"El", "tlspassword",              TRUE},
  {"Em", "tlsauthtype",              TRUE},
  {"Em", "tlsauthtype",              TRUE},
  {"En", "ssl-no-empty-fragments",   FALSE},
  {"f",  "fail",                     FALSE},
  {"f",  "fail",                     FALSE},
  {"F",  "form",                     TRUE},
  {"F",  "form",                     TRUE},
  {"Fs", "form-string",              TRUE},
  {"Fs", "form-string",              TRUE},
@@ -1144,6 +1145,10 @@ ParameterError getparameter(char *flag, /* f or -long-flag */
        else
        else
          return PARAM_LIBCURL_DOESNT_SUPPORT;
          return PARAM_LIBCURL_DOESNT_SUPPORT;
        break;
        break;
      case 'n': /* no empty SSL fragments */
        if(curlinfo->features & CURL_VERSION_SSL)
          config->ssl_allow_beast = toggle;
        break;
      default: /* certificate file */
      default: /* certificate file */
      {
      {
        char *ptr = strchr(nextarg, ':');
        char *ptr = strchr(nextarg, ':');
+2 −1
Original line number Original line Diff line number Diff line
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *                             \___|\___/|_| \_\_____|
 *
 *
 * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
 * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 *
 * This software is licensed as described in the file COPYING, which
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * you should have received as part of this distribution. The terms
@@ -187,6 +187,7 @@ static const char *const helptext[] = {
  "     --ssl-reqd      Require SSL/TLS (FTP, IMAP, POP3, SMTP)",
  "     --ssl-reqd      Require SSL/TLS (FTP, IMAP, POP3, SMTP)",
  " -2, --sslv2         Use SSLv2 (SSL)",
  " -2, --sslv2         Use SSLv2 (SSL)",
  " -3, --sslv3         Use SSLv3 (SSL)",
  " -3, --sslv3         Use SSLv3 (SSL)",
  "     --ssl-allow-below Allow security flaw to improve interop (SSL)",
  "     --stderr FILE   Where to redirect stderr. - means stdout",
  "     --stderr FILE   Where to redirect stderr. - means stdout",
  "     --tcp-nodelay   Use the TCP_NODELAY option",
  "     --tcp-nodelay   Use the TCP_NODELAY option",
  " -t, --telnet-option OPT=VAL  Set telnet option",
  " -t, --telnet-option OPT=VAL  Set telnet option",
+4 −0
Original line number Original line Diff line number Diff line
@@ -1234,6 +1234,10 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[])
          my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION,
          my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION,
                        config->gssapi_delegation);
                        config->gssapi_delegation);


        /* new in 7.25.0 */
        if(config->ssl_allow_beast)
          my_setopt(curl, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_ALLOW_BEAST);

        /* initialize retry vars for loop below */
        /* initialize retry vars for loop below */
        retry_sleep_default = (config->retry_delay) ?
        retry_sleep_default = (config->retry_delay) ?
          config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */
          config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */