From: Emeric Brun <ebrun@exceliance.fr>
Date: Mon, 3 Dec 2012 12:24:29 +0000 (+0100)
Subject: BUG/MEDIUM: ssl: first outgoing connection would fail with {ca,crt}-ignore-err
X-Git-Tag: v1.5-dev15~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1eb20efe701ef555efb430bf42d9c3064d2c3c7e;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl: first outgoing connection would fail with {ca,crt}-ignore-err

When using ca_ignore_err/crt_ignore_err, a connection to an untrusted
server raises an error which is ignored. But the next SSL_read() that
encounters EAGAIN raises the error again, breaking the connection.

Subsequent connections don't have this problem because the session has
been stored and is correctly reused without performing a verify again.

The solution consists in correctly flushing the SSL error stack when
ignoring the crt/ca error.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 35c7bd91d5..8ee7eb7baf 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -127,8 +127,10 @@ int ssl_sock_verifycbk(int ok, X509_STORE_CTX *x_store)
 			conn->xprt_st |= SSL_SOCK_CAEDEPTH_TO_ST(depth);
 		}
 
-		if (objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err))
+		if (objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
+			ERR_clear_error();
 			return 1;
+		}
 
 		conn->err_code = CO_ER_SSL_CA_FAIL;
 		return 0;
@@ -138,8 +140,10 @@ int ssl_sock_verifycbk(int ok, X509_STORE_CTX *x_store)
 		conn->xprt_st |= SSL_SOCK_CRTERROR_TO_ST(err);
 
 	/* check if certificate error needs to be ignored */
-	if (objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err))
+	if (objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
+		ERR_clear_error();
 		return 1;
+	}
 
 	conn->err_code = CO_ER_SSL_CRT_FAIL;
 	return 0;