Disable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.

Note: this can cause compilation issues on outdated OpenSSL versions.
In such situations, use a newer OpenSSL version.

diff --git a/NEWS b/NEWS
index a90d79ba25f02e2609022519e14b7344102a6692..cd7ce1855308e9891bd9b10c3093564e21f28737 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -53,6 +53,10 @@ NOTE THIS IS AN ALPHA RELEASE THAT HAS NOT BEEN THOROUGHLY TESTED!
   Fixes BerliOS Bug #16172. Fixes Debian Bug#345788.
 * Fetchmail now enables SSL support by default. If this is undesired,
   ./configure --without-ssl should help.
+* The OpenSSL code now excludes the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option.
+  This can cause interoperability problems with certain buggy servers, but is
+  required to defang chosen-plaintext attacks against AES.  While probably hard
+  to mount against fetchmail, let's play it safe rather than be sorry later.
 
 # FEATURES ADDED
 * Fetchmail can now retrieve credentials from PWMD. This needs to be enabled at

diff --git a/socket.c b/socket.c
index 62fe9cbd7b9543961ad778422e267eb6b1f260fa..5feff634d415e1e3e4c922b178d1408015050bb7 100644 (file)
--- a/socket.c
+++ b/socket.c
@@ -826,7 +826,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
                return(-1);
        }
 
-       SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL | SSL_OP_NO_SSLv2);
+       SSL_CTX_set_options(_ctx[sock], (SSL_OP_ALL | SSL_OP_NO_SSLv2) & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
 
        if (certck) {
                SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);