From 1eb20efe701ef555efb430bf42d9c3064d2c3c7e Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Mon, 3 Dec 2012 13:24:29 +0100 Subject: [PATCH] BUG/MEDIUM: ssl: first outgoing connection would fail with {ca,crt}-ignore-err When using ca_ignore_err/crt_ignore_err, a connection to an untrusted server raises an error which is ignored. But the next SSL_read() that encounters EAGAIN raises the error again, breaking the connection. Subsequent connections don't have this problem because the session has been stored and is correctly reused without performing a verify again. The solution consists in correctly flushing the SSL error stack when ignoring the crt/ca error. --- src/ssl_sock.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 35c7bd91d5..8ee7eb7baf 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -127,8 +127,10 @@ int ssl_sock_verifycbk(int ok, X509_STORE_CTX *x_store) conn->xprt_st |= SSL_SOCK_CAEDEPTH_TO_ST(depth); } - if (objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) + if (objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) { + ERR_clear_error(); return 1; + } conn->err_code = CO_ER_SSL_CA_FAIL; return 0; @@ -138,8 +140,10 @@ int ssl_sock_verifycbk(int ok, X509_STORE_CTX *x_store) conn->xprt_st |= SSL_SOCK_CRTERROR_TO_ST(err); /* check if certificate error needs to be ignored */ - if (objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) + if (objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) { + ERR_clear_error(); return 1; + } conn->err_code = CO_ER_SSL_CRT_FAIL; return 0; -- 2.47.3