Clear SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS without SSL_CTX_clear_options()

A patch to clear SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS was added recently:

  http://gitorious.org/fetchmail/fetchmail/commit/48809c5b9f6c9081f4031fa938dd63b060c18a4b?format=patch

Older implementations of OpenSSL do not support SSL_CTX_clear_options().

This patch reworks the previous change to avoid the use of
SL_CTX_clear_options() and instead clears the corresponding bit in
SSL_OP_ALL before calling SSL_CTX_set_options().

diff --git a/socket.c b/socket.c
index 5f168b5b463e8aa88c93aaef0174cc7fdf6ea9c9..634b4760b87d0ffa106620e62a436967a50d1ea8 100644 (file)
--- a/socket.c
+++ b/socket.c
@@ -844,6 +844,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 {
         struct stat randstat;
         int i;
+       long sslopts = SSL_OP_ALL;
 
        SSL_load_error_strings();
        SSL_library_init();
@@ -899,14 +900,14 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
                return(-1);
        }
 
-       SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL);
-
        {
            char *tmp = getenv("FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE");
            if (tmp == NULL || *tmp == '\0' || strspn(tmp, " \t") == strlen(tmp))
-               SSL_CTX_clear_options(_ctx[sock], SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+               sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
        }
 
+       SSL_CTX_set_options(_ctx[sock], sslopts);
+
        if (certck) {
                SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
        } else {