On Sat, Feb 04, 2012 at 10:11:31PM +0100, Alessandro Ghedini wrote: > > AFAIU, the problem is that the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option is > meant to keep compatibility with some older and broken SSL implementations > that don't support empty fragments, but it also re-introduces a security > issue. > > That's why such option was disabled in curl 7.24.0 (and backported to > stable-security). It was a mistake on the curl developers side to enable it > in the first place (it was done by accident because of the not-so-clear > OpenSSL documentation, according to upstream). > > I understand that this may cause problems (the incompatibility didn't show > up in my tests with live SSL servers though), but leaving a security issue > open *by default* is not a better solution IMO. > > Maybe an option, for both libcurl and curl, to explicitly enable the > SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS would do the trick? > > Alternative solutions/opinions would be welcome, if you happen to have any.
Having SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS disabled by default would be fine if I had the option to turn it on. In that case it's my decision to ignore the security consequences. Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
