OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
(http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit
to SSL_OP_ALL that _disables_ that work-around despite the fact that
SSL_OP_ALL is documented to do "rather harmless" workarounds.

The libcurl code uses the SSL_OP_ALL define and thus logically always
disables the OpenSSL fix.

In order to keep the secure work-around working, the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
makes sure of this.

Reported by: product-security at Apple
---
diff --up a/lib/ssluse.c b/lib/ssluse.c
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -977,6 +977,7 @@ Curl_SSLConnect(struct connectdata *conn
   ASN1_TIME *certdate;
   curl_socket_t sockfd = conn->sock[sockindex];
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+  long ctx_options;
 
   /* mark this is being ssl enabled from here on out. */
   connssl->use = TRUE;
@@ -1020,9 +1021,21 @@ Curl_SSLConnect(struct connectdata *conn
      enable the bug workaround options if compatibility with somewhat broken
      implementations is desired."
 
+     OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
+     (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
+     SSL_OP_ALL that _disables_ that work-around despite the fact that
+     SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
+     keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
+     must not be set.
+
   */
-  SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL);
-    
+
+  ctx_options = SSL_OP_ALL;
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+  ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+#endif
+  SSL_CTX_set_options(connssl->ctx, ctx_options);
+   
   if(data->set.cert) {
     if(!cert_stuff(conn,
                    connssl->ctx,