From 62d15f159e163bf4e1a27ac1b0ffd9b84e02bf56 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 6 Feb 2012 22:25:04 +0100
Subject: [PATCH] --ssl-allow-beast added

This new option tells curl to not work around a security flaw in the
SSL3 and TLS1.0 protocols. It uses the new libcurl option
CURLOPT_SSL_OPTIONS with the CURLSSLOPT_ALLOW_BEAST bit set.
---
 docs/curl.1         | 6 ++++++
 src/tool_cfgable.h  | 4 ++--
 src/tool_getparam.c | 7 ++++++-
 src/tool_help.c     | 3 ++-
 src/tool_operate.c  | 4 ++++
 5 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/docs/curl.1 b/docs/curl.1
index 5bc8f0d..4520e1b 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -1259,6 +1259,12 @@ connection if the server doesn't support SSL/TLS. (Added in 7.20.0)
 
 This option was formerly known as \fI--ftp-ssl-reqd\fP (added in 7.15.5). That
 option name can still be used but will be removed in a future version.
+.IP "--ssl-allow-beast"
+(SSL) This option tells curl to not work around a security flaw in the SSL3
+and TLS1.0 protocols known as BEAST.  If this option isn't used, the SSL layer
+may use work-arounds known to cause interoperability problems with some older
+SSL implementations. WARNING: this option loosens the SSL security, and by
+using this flag you ask for exactly that.  (Added in 7.25.0)
 .IP "--socks4 <host[:port]>"
 Use the specified SOCKS4 proxy. If the port number is not specified, it is
 assumed at port 1080. (Added in 7.15.2)
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index adbb446..6e66191 100644
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -195,7 +195,7 @@ struct Configurable {
 
   bool xattr;               /* store metadata in extended attributes */
   long gssapi_delegation;
-
+  bool ssl_allow_beast;     /* allow this SSL vulnerability */
 }; /* struct Configurable */
 
 void free_config_fields(struct Configurable *config);
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index bd7375f..e65371f 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -202,6 +202,7 @@ static const struct LongShort aliases[]= {
   {"Ek", "tlsuser",                  TRUE},
   {"El", "tlspassword",              TRUE},
   {"Em", "tlsauthtype",              TRUE},
+  {"En", "ssl-no-empty-fragments",   FALSE},
   {"f",  "fail",                     FALSE},
   {"F",  "form",                     TRUE},
   {"Fs", "form-string",              TRUE},
@@ -1144,6 +1145,10 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
         else
           return PARAM_LIBCURL_DOESNT_SUPPORT;
         break;
+      case 'n': /* no empty SSL fragments */
+        if(curlinfo->features & CURL_VERSION_SSL)
+          config->ssl_allow_beast = toggle;
+        break;
       default: /* certificate file */
       {
         char *ptr = strchr(nextarg, ':');
diff --git a/src/tool_help.c b/src/tool_help.c
index 7c7d8d3..a3e9da0 100644
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -187,6 +187,7 @@ static const char *const helptext[] = {
   "     --ssl-reqd      Require SSL/TLS (FTP, IMAP, POP3, SMTP)",
   " -2, --sslv2         Use SSLv2 (SSL)",
   " -3, --sslv3         Use SSLv3 (SSL)",
+  "     --ssl-allow-below Allow security flaw to improve interop (SSL)",
   "     --stderr FILE   Where to redirect stderr. - means stdout",
   "     --tcp-nodelay   Use the TCP_NODELAY option",
   " -t, --telnet-option OPT=VAL  Set telnet option",
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 1557e62..f3fb8ef 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1234,6 +1234,10 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[])
           my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION,
                         config->gssapi_delegation);
 
+        /* new in 7.25.0 */
+        if(config->ssl_allow_beast)
+          my_setopt(curl, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_ALLOW_BEAST);
+
         /* initialize retry vars for loop below */
         retry_sleep_default = (config->retry_delay) ?
           config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */
-- 
2.7.4