]> Pileus Git - ~andy/fetchmail/blobdiff - socket.c
projects / ~andy / fetchmail / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix CVE-2011-3389 by clearing SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS...
[~andy/fetchmail] / socket.c
diff --git a/socket.c b/socket.c
index 260b0aa31f16eaf5f0d9023716a57834ff024983..5f168b5b463e8aa88c93aaef0174cc7fdf6ea9c9 100644 (file)
--- a/socket.c
+++ b/socket.c
@@ -901,6 +901,12 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 
        SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL);
 
+       {
+           char *tmp = getenv("FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE");
+           if (tmp == NULL || *tmp == '\0' || strspn(tmp, " \t") == strlen(tmp))
+               SSL_CTX_clear_options(_ctx[sock], SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+       }
+
        if (certck) {
                SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
        } else {
Andy's fetchmail repository