I am trying to verify if the openssl env I am working in 0.9.8u is affected or not. I don't beleive it is because it seems this is NOT a default option that is enabled.
Line from the CVE-2011-338 OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized. My question is where do you add these 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' initialization options? Brad
