retitle 658276 libcurl3: No more compatible with older SSL implementations
forwarded 658276 http://curl.haxx.se/mail/lib-2012-02/0001.html
kthxbye
On Wed, Feb 01, 2012 at 07:27:06PM +0100, Kurt Roeckx wrote:
> Package: libcurl3
> Version: 7.21.0-2.1+squeeze1, 7.24.0-1
> Severity: grave
>
> Hi,
Hi,
> After the upgrade from 7.21.0-2 or 7.23.1-3 some sites stop to
> work while others continue to work.
>
> My guess is that this is related to the CVE-2011-3389 change.
> If my memory is any good, the reason why openssl still does
> something with that option is because not all implementations
> work without it. I think I at least saw a blog post about
> the state of that issue a few months ago.
AFAIU, the problem is that the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option is
meant to keep compatibility with some older and broken SSL implementations
that don't support empty fragments, but it also re-introduces a security
issue.
That's why such option was disabled in curl 7.24.0 (and backported to
stable-security). It was a mistake on the curl developers side to enable it
in the first place (it was done by accident because of the not-so-clear
OpenSSL documentation, according to upstream).
I understand that this may cause problems (the incompatibility didn't show
up in my tests with live SSL servers though), but leaving a security issue
open *by default* is not a better solution IMO.
Maybe an option, for both libcurl and curl, to explicitly enable the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS would do the trick?
Alternative solutions/opinions would be welcome, if you happen to have any.
Cheers
--
perl -E'$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
