New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling CBC
vulnerability workaround (included in SSL_OP_ALL).
PR: #90
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 6dfef5c..72ac8b6 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -378,13 +378,18 @@
ret = ssl3_generate_key_block(s,p,num);
- /* enable vulnerability countermeasure for CBC ciphers with
- * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */
- s->s3->need_empty_fragments = 1;
+ if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
+ {
+ /* enable vulnerability countermeasure for CBC ciphers with
+ * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
+ */
+ s->s3->need_empty_fragments = 1;
+
#ifndef OPENSSL_NO_RC4
- if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))
- s->s3->need_empty_fragments = 0;
+ if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))
+ s->s3->need_empty_fragments = 0;
#endif
+ }
return ret;
