OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
(http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit
to SSL_OP_ALL that _disables_ that work-around despite the fact that
SSL_OP_ALL is documented to do "rather harmless" workarounds.

The libcurl code uses the SSL_OP_ALL define and thus logically always
disables the OpenSSL fix.

In order to keep the secure work-around working, the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
makes sure of this.

Reported by: product-security at Apple
---
diff --up a/lib/ssluse.c b/lib/ssluse.c
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1187,6 +1187,7 @@ Curl_ossl_connect_step1(struct connectda
   void *ssl_sessionid=NULL;
   curl_socket_t sockfd = conn->sock[sockindex];
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+  long ctx_options;
 
   curlassert(ssl_connect_1 == connssl->connecting_state);
 
@@ -1242,8 +1243,20 @@ Curl_ossl_connect_step1(struct connectda
      enable the bug workaround options if compatibility with somewhat broken
      implementations is desired."
 
+     OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
+     (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
+     SSL_OP_ALL that _disables_ that work-around despite the fact that
+     SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
+     keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
+     must not be set.
+
   */
-  SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL);
+
+  ctx_options = SSL_OP_ALL;
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+  ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+#endif
+  SSL_CTX_set_options(connssl->ctx, ctx_options);
 
 #if 0
   /*