From: Janusz Dziemidowicz Date: Wed, 8 Mar 2017 15:59:41 +0000 (+0100) Subject: BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying to parse OCSP file X-Git-Tag: v1.8-dev1~99 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8d7104982e1c41f7dc4d75ae7f7d2bbb96052d40;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying to parse OCSP file Invalid OCSP file (for example empty one that can be used to enable OCSP response to be set dynamically later) causes errors that are placed on OpenSSL error stack. Those errors are not cleared so anything that checks this stack later will fail. Following configuration: bind :443 ssl crt crt1.pem crt crt2.pem With following files: crt1.pem crt1.pem.ocsp - empty one crt2.pem.rsa crt2.pem.ecdsa Will fail to load. This patch should be backported to 1.7. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 91a15af727..f947c9965e 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -478,6 +478,8 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi ret = 0; out: + ERR_clear_error(); + if (bs) OCSP_BASICRESP_free(bs);