Clear SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS without SSL_CTX_clear_options()

[~andy/fetchmail] / socket.c

diff --git a/socket.c b/socket.c
index 5f168b5b463e8aa88c93aaef0174cc7fdf6ea9c9..634b4760b87d0ffa106620e62a436967a50d1ea8 100644 (file)
--- a/socket.c
+++ b/socket.c
@@ -844,6 +844,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 {
         struct stat randstat;
         int i;
+       long sslopts = SSL_OP_ALL;
 
        SSL_load_error_strings();
        SSL_library_init();
@@ -899,14 +900,14 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
                return(-1);
        }
 
-       SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL);
-
        {
            char *tmp = getenv("FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE");
            if (tmp == NULL || *tmp == '\0' || strspn(tmp, " \t") == strlen(tmp))
-               SSL_CTX_clear_options(_ctx[sock], SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+               sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
        }
 
+       SSL_CTX_set_options(_ctx[sock], sslopts);
+
        if (certck) {
                SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
        } else {