diff options
author | Bodo Möller <bodo@openssl.org> | 2002-06-14 12:19:34 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2002-06-14 12:19:34 +0000 |
commit | 32a76f2c75fd9e6bd126e43e0220f3830ffaa805 (patch) | |
tree | 1e5f2aaf00ebfbd3da2f9b4c35e4fbd316ee16d5 /doc | |
parent | 578c1cdefaf1416214140173c6770dd953b57672 (diff) | |
download | openssl-32a76f2c75fd9e6bd126e43e0220f3830ffaa805.tar.gz |
New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling CBC
vulnerability workaround (included in SSL_OP_ALL).
PR: #90
Diffstat (limited to 'doc')
-rw-r--r-- | doc/ssl/SSL_CTX_set_options.pod | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 5842a31fa4..320fc93074 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -112,14 +112,22 @@ only understands up to SSLv3. In this case the client must still use the same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect to the server's answer and violate the version rollback protection.) +=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + +Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol +vulnerability affecting CBC ciphers, which cannot be handled by some +broken SSL implementations. This option has no effect for connections +using other ciphers. + =item SSL_OP_ALL All of the above bug workarounds. =back -It is save and recommended to use SSL_OP_ALL to enable the bug workaround -options. +It is usually safe to use B<SSL_OP_ALL> to enable the bug workaround +options if compatibility with somewhat broken implementations is +desired. The following B<modifying> options are available: @@ -199,4 +207,9 @@ L<dhparam(1)|dhparam(1)> SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6. +B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS> has been added in OpenSSL 0.9.6e. +Versions up to OpenSSL 0.9.6c do not include the countermeasure that +can be disabled with this option (in OpenSSL 0.9.6d, it was always +enabled). + =cut |