BUG/MEDIUM: ssl: first outgoing connection would fail with {ca,crt}-ignore-err

When using ca_ignore_err/crt_ignore_err, a connection to an untrusted
server raises an error which is ignored. But the next SSL_read() that
encounters EAGAIN raises the error again, breaking the connection.

Subsequent connections don't have this problem because the session has
been stored and is correctly reused without performing a verify again.

The solution consists in correctly flushing the SSL error stack when
ignoring the crt/ca error.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 35c7bd91d5147b164ea0ed00d87109412dddd351..8ee7eb7baf47669e6aefe5277a9c78e9a7dc7ac8 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -127,8 +127,10 @@ int ssl_sock_verifycbk(int ok, X509_STORE_CTX *x_store)
                        conn->xprt_st |= SSL_SOCK_CAEDEPTH_TO_ST(depth);
                }
 
-               if (objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err))
+               if (objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
+                       ERR_clear_error();
                        return 1;
+               }
 
                conn->err_code = CO_ER_SSL_CA_FAIL;
                return 0;
@@ -138,8 +140,10 @@ int ssl_sock_verifycbk(int ok, X509_STORE_CTX *x_store)
                conn->xprt_st |= SSL_SOCK_CRTERROR_TO_ST(err);
 
        /* check if certificate error needs to be ignored */
-       if (objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err))
+       if (objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
+               ERR_clear_error();
                return 1;
+       }
 
        conn->err_code = CO_ER_SSL_CRT_FAIL;
        return 0;