From c21506ba024adb6d5655a92d61c1d3824e5dedcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Fri, 14 Jun 2002 12:21:11 +0000 Subject: New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling CBC vulnerability workaround (included in SSL_OP_ALL). PR: #90 --- doc/ssl/SSL_CTX_set_options.pod | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index c10055c6e7..3b918178fd 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -100,14 +100,22 @@ doing a re-connect, always takes the first cipher in the cipher list. ... +=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + +Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol +vulnerability affecting CBC ciphers, which cannot be handled by some +broken SSL implementations. This option has no effect for connections +using other ciphers. + =item SSL_OP_ALL All of the above bug workarounds. =back -It is safe and recommended to use B to enable the bug workaround -options. +It is usually safe to use B to enable the bug workaround +options if compatibility with somewhat broken implementations is +desired. The following B options are available: @@ -219,4 +227,9 @@ B has been added in OpenSSL 0.9.6 and was automatically enabled with B. As of 0.9.7, it is no longer included in B and must be explicitly set. +B has been added in OpenSSL 0.9.6e. +Versions up to OpenSSL 0.9.6c do not include the countermeasure that +can be disabled with this option (in OpenSSL 0.9.6d, it was always +enabled). + =cut -- cgit v1.2.3