--ssl-allow-beast added (62d15f15) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

docs/curl.1

+6 −0

Original line number	Original line	Diff line number	Diff line
	@@ -1259,6 +1259,12 @@ connection if the server doesn't support SSL/TLS. (Added in 7.20.0)

	This option was formerly known as \fI--ftp-ssl-reqd\fP (added in 7.15.5). That		This option was formerly known as \fI--ftp-ssl-reqd\fP (added in 7.15.5). That
	option name can still be used but will be removed in a future version.		option name can still be used but will be removed in a future version.
			.IP "--ssl-allow-beast"
			(SSL) This option tells curl to not work around a security flaw in the SSL3
			and TLS1.0 protocols known as BEAST. If this option isn't used, the SSL layer
			may use work-arounds known to cause interoperability problems with some older
			SSL implementations. WARNING: this option loosens the SSL security, and by
			using this flag you ask for exactly that. (Added in 7.25.0)
	.IP "--socks4 <host[:port]>"		.IP "--socks4 <host[:port]>"
	Use the specified SOCKS4 proxy. If the port number is not specified, it is		Use the specified SOCKS4 proxy. If the port number is not specified, it is
	assumed at port 1080. (Added in 7.15.2)		assumed at port 1080. (Added in 7.15.2)

+2 −2

Original line number	Original line	Diff line number	Diff line
	@@ -7,7 +7,7 @@
	* \| (__\| \|_\| \| _ <\| \|___		* \| (__\| \|_\| \| _ <\| \|___
	* \___\|\___/\|_\| \_\_____\|		* \___\|\___/\|_\| \_\_____\|
	*		*
	* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.		* Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
	*		*
	* This software is licensed as described in the file COPYING, which		* This software is licensed as described in the file COPYING, which
	* you should have received as part of this distribution. The terms		* you should have received as part of this distribution. The terms
	@@ -195,7 +195,7 @@ struct Configurable {

	bool xattr; /* store metadata in extended attributes */		bool xattr; /* store metadata in extended attributes */
	long gssapi_delegation;		long gssapi_delegation;
			bool ssl_allow_beast; /* allow this SSL vulnerability */
	}; /* struct Configurable */		}; /* struct Configurable */

	void free_config_fields(struct Configurable *config);		void free_config_fields(struct Configurable *config);

+6 −1

Original line number	Original line	Diff line number	Diff line
	@@ -5,7 +5,7 @@
	* \| (__\| \|_\| \| _ <\| \|___		* \| (__\| \|_\| \| _ <\| \|___
	* \___\|\___/\|_\| \_\_____\|		* \___\|\___/\|_\| \_\_____\|
	*		*
	* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.		* Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
	*		*
	* This software is licensed as described in the file COPYING, which		* This software is licensed as described in the file COPYING, which
	* you should have received as part of this distribution. The terms		* you should have received as part of this distribution. The terms
	@@ -202,6 +202,7 @@ static const struct LongShort aliases[]= {
	{"Ek", "tlsuser", TRUE},		{"Ek", "tlsuser", TRUE},
	{"El", "tlspassword", TRUE},		{"El", "tlspassword", TRUE},
	{"Em", "tlsauthtype", TRUE},		{"Em", "tlsauthtype", TRUE},
			{"En", "ssl-no-empty-fragments", FALSE},
	{"f", "fail", FALSE},		{"f", "fail", FALSE},
	{"F", "form", TRUE},		{"F", "form", TRUE},
	{"Fs", "form-string", TRUE},		{"Fs", "form-string", TRUE},
	@@ -1144,6 +1145,10 @@ ParameterError getparameter(char flag, / f or -long-flag */
	else		else
	return PARAM_LIBCURL_DOESNT_SUPPORT;		return PARAM_LIBCURL_DOESNT_SUPPORT;
	break;		break;
			case 'n': /* no empty SSL fragments */
			if(curlinfo->features & CURL_VERSION_SSL)
			config->ssl_allow_beast = toggle;
			break;
	default: /* certificate file */		default: /* certificate file */
	{		{
	char *ptr = strchr(nextarg, ':');		char *ptr = strchr(nextarg, ':');

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -5,7 +5,7 @@
	* \| (__\| \|_\| \| _ <\| \|___		* \| (__\| \|_\| \| _ <\| \|___
	* \___\|\___/\|_\| \_\_____\|		* \___\|\___/\|_\| \_\_____\|
	*		*
	* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.		* Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
	*		*
	* This software is licensed as described in the file COPYING, which		* This software is licensed as described in the file COPYING, which
	* you should have received as part of this distribution. The terms		* you should have received as part of this distribution. The terms
	@@ -187,6 +187,7 @@ static const char *const helptext[] = {
	" --ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)",		" --ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)",
	" -2, --sslv2 Use SSLv2 (SSL)",		" -2, --sslv2 Use SSLv2 (SSL)",
	" -3, --sslv3 Use SSLv3 (SSL)",		" -3, --sslv3 Use SSLv3 (SSL)",
			" --ssl-allow-below Allow security flaw to improve interop (SSL)",
	" --stderr FILE Where to redirect stderr. - means stdout",		" --stderr FILE Where to redirect stderr. - means stdout",
	" --tcp-nodelay Use the TCP_NODELAY option",		" --tcp-nodelay Use the TCP_NODELAY option",
	" -t, --telnet-option OPT=VAL Set telnet option",		" -t, --telnet-option OPT=VAL Set telnet option",

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -1234,6 +1234,10 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[])
	my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION,		my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION,
	config->gssapi_delegation);		config->gssapi_delegation);

			/* new in 7.25.0 */
			if(config->ssl_allow_beast)
			my_setopt(curl, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_ALLOW_BEAST);

	/* initialize retry vars for loop below */		/* initialize retry vars for loop below */
	retry_sleep_default = (config->retry_delay) ?		retry_sleep_default = (config->retry_delay) ?
	config->retry_delay1000L : RETRY_SLEEP_DEFAULT; / ms */		config->retry_delay1000L : RETRY_SLEEP_DEFAULT; / ms */