From 887b863b00b9893c20eb9e1f3987ceaeade1f774 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Thu, 25 Sep 2025 12:11:15 +0200
Subject: [PATCH] openssl: clear retry flag on x509 error

When loading the trust anchors and encountering an error, clear
a possibly set retry flag.

Reported in Joshua's sarif data

Closes #18724
---
 lib/vtls/openssl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 4d37f5e77f..1048bf5751 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -741,6 +741,7 @@ static int ossl_bio_cf_in_read(BIO *bio, char *buf, int blen)
   if(!octx->x509_store_setup) {
     r2 = Curl_ssl_setup_x509_store(cf, data, octx->ssl_ctx);
     if(r2) {
+      BIO_clear_retry_flags(bio);
       octx->io_result = r2;
       return -1;
     }
-- 
2.47.3