diff options
author | Scott MacVicar <scottmac@php.net> | 2012-01-26 05:15:57 +0000 |
---|---|---|
committer | Scott MacVicar <scottmac@php.net> | 2012-01-26 05:15:57 +0000 |
commit | 398c6e6d1153ca2034a152977d1700629b146e43 (patch) | |
tree | 62cdfc1f67bee50d90825e0219bdad5f883b5cff /ext/ftp | |
parent | bbd6ab2054cbaffbc510a5a9e491a23898faaea9 (diff) | |
download | php-git-398c6e6d1153ca2034a152977d1700629b146e43.tar.gz |
MFH r322485
Fix possible attack in SSL sockets with SSL 3.0 / TLS 1.0.
CVE-2011-3389
Diffstat (limited to 'ext/ftp')
-rw-r--r-- | ext/ftp/ftp.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c index 8b74e03c1a..4156a04581 100644 --- a/ext/ftp/ftp.c +++ b/ext/ftp/ftp.c @@ -243,6 +243,7 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC) { #if HAVE_OPENSSL_EXT SSL_CTX *ctx = NULL; + long ssl_ctx_options = SSL_OP_ALL; #endif if (ftp == NULL) { return 0; @@ -279,7 +280,10 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC) return 0; } - SSL_CTX_set_options(ctx, SSL_OP_ALL); +#if OPENSSL_VERSION_NUMBER >= 0x0090605fL + ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; +#endif + SSL_CTX_set_options(ctx, ssl_ctx_options); ftp->ssl_handle = SSL_new(ctx); if (ftp->ssl_handle == NULL) { @@ -1495,6 +1499,7 @@ data_accept(databuf_t *data, ftpbuf_t *ftp TSRMLS_DC) #if HAVE_OPENSSL_EXT SSL_CTX *ctx; + long ssl_ctx_options = SSL_OP_ALL; #endif if (data->fd != -1) { @@ -1521,7 +1526,10 @@ data_accepted: return 0; } - SSL_CTX_set_options(ctx, SSL_OP_ALL); +#if OPENSSL_VERSION_NUMBER >= 0x0090605fL + ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; +#endif + SSL_CTX_set_options(ctx, ssl_ctx_options); data->ssl_handle = SSL_new(ctx); if (data->ssl_handle == NULL) { |