mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-02-17 14:59:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

--ssl-allow-beast added

Browse Source 
This new option tells curl to not work around a security flaw in the
SSL3 and TLS1.0 protocols. It uses the new libcurl option
CURLOPT_SSL_OPTIONS with the CURLSSLOPT_ALLOW_BEAST bit set.
This commit is contained in:
Daniel Stenberg 2012-02-06 22:25:04 +01:00
parent 2a699bc6e9
commit 62d15f159e
5 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/curl.1
View File

@ -1259,6 +1259,12 @@ connection if the server doesn't support SSL/TLS. (Added in 7.20.0)
This option was formerly known as \fI--ftp-ssl-reqd\fP (added in 7.15.5). That This option was formerly known as \fI--ftp-ssl-reqd\fP (added in 7.15.5). That
option name can still be used but will be removed in a future version. option name can still be used but will be removed in a future version.
.IP "--ssl-allow-beast"
(SSL) This option tells curl to not work around a security flaw in the SSL3
and TLS1.0 protocols known as BEAST. If this option isn't used, the SSL layer
may use work-arounds known to cause interoperability problems with some older
SSL implementations. WARNING: this option loosens the SSL security, and by
using this flag you ask for exactly that. (Added in 7.25.0)
.IP "--socks4 <host[:port]>" .IP "--socks4 <host[:port]>"
Use the specified SOCKS4 proxy. If the port number is not specified, it is Use the specified SOCKS4 proxy. If the port number is not specified, it is
assumed at port 1080. (Added in 7.15.2) assumed at port 1080. (Added in 7.15.2)

4
src/tool_cfgable.h
View File

@ -7,7 +7,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -195,7 +195,7 @@ struct Configurable {
bool xattr; /* store metadata in extended attributes */ bool xattr; /* store metadata in extended attributes */
long gssapi_delegation; long gssapi_delegation;
bool ssl_allow_beast; /* allow this SSL vulnerability */
}; /* struct Configurable */ }; /* struct Configurable */
void free_config_fields(struct Configurable *config); void free_config_fields(struct Configurable *config);

7
src/tool_getparam.c
View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -202,6 +202,7 @@ static const struct LongShort aliases[]= {
{"Ek", "tlsuser", TRUE}, {"Ek", "tlsuser", TRUE},
{"El", "tlspassword", TRUE}, {"El", "tlspassword", TRUE},
{"Em", "tlsauthtype", TRUE}, {"Em", "tlsauthtype", TRUE},
{"En", "ssl-no-empty-fragments", FALSE},
{"f", "fail", FALSE}, {"f", "fail", FALSE},
{"F", "form", TRUE}, {"F", "form", TRUE},
{"Fs", "form-string", TRUE}, {"Fs", "form-string", TRUE},
@ -1144,6 +1145,10 @@ ParameterError getparameter(char *flag, /* f or -long-flag */
else else
return PARAM_LIBCURL_DOESNT_SUPPORT; return PARAM_LIBCURL_DOESNT_SUPPORT;
break; break;
case 'n': /* no empty SSL fragments */
if(curlinfo->features & CURL_VERSION_SSL)
config->ssl_allow_beast = toggle;
break;
default: /* certificate file */ default: /* certificate file */
{ {
char *ptr = strchr(nextarg, ':'); char *ptr = strchr(nextarg, ':');

3
src/tool_help.c
View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -187,6 +187,7 @@ static const char *const helptext[] = {
" --ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)", " --ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)",
" -2, --sslv2 Use SSLv2 (SSL)", " -2, --sslv2 Use SSLv2 (SSL)",
" -3, --sslv3 Use SSLv3 (SSL)", " -3, --sslv3 Use SSLv3 (SSL)",
" --ssl-allow-below Allow security flaw to improve interop (SSL)",
" --stderr FILE Where to redirect stderr. - means stdout", " --stderr FILE Where to redirect stderr. - means stdout",
" --tcp-nodelay Use the TCP_NODELAY option", " --tcp-nodelay Use the TCP_NODELAY option",
" -t, --telnet-option OPT=VAL Set telnet option", " -t, --telnet-option OPT=VAL Set telnet option",

4
src/tool_operate.c
View File

@ -1234,6 +1234,10 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[])
my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION, my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION,
config->gssapi_delegation); config->gssapi_delegation);
/* new in 7.25.0 */
if(config->ssl_allow_beast)
my_setopt(curl, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_ALLOW_BEAST);
/* initialize retry vars for loop below */ /* initialize retry vars for loop below */
retry_sleep_default = (config->retry_delay) ? retry_sleep_default = (config->retry_delay) ?
config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */ config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */