From: William Lallemand <wlallemand@haproxy.org>
Date: Mon, 12 Jun 2023 14:23:29 +0000 (+0200)
Subject: BUG/MINOR: ssl: log message non thread safe in SSL Hanshake failure
X-Git-Tag: v2.9-dev1~62
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0c9ff0cde451db6fdd2f9f1159e622f1646d5eb1;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: log message non thread safe in SSL Hanshake failure

It was reported in issue #2181, strange behavior during the new SSL
hanshake failure logs.

Errors were logged with the code 0, which is unknown to OpenSSL.

This patch mades 2 changes:

- It stops using ERR_error_string() when the SSL error code is 0
- It uses ERR_error_string_n() to be thread-safe

Must be backported to 2.8.
---

diff --git a/src/session.c b/src/session.c
index ef8a19412c..d3b0c886de 100644
--- a/src/session.c
+++ b/src/session.c
@@ -367,11 +367,13 @@ static void session_build_err_string(struct session *sess)
 #ifdef USE_OPENSSL
 	ssl_ctx = conn_get_ssl_sock_ctx(conn);
 
-
-	if (conn->err_code == CO_ER_SSL_HANDSHAKE && ssl_ctx) {
-		const char *err_ssl_str = ERR_error_string(ssl_ctx->error_code, NULL);
-
-		chunk_appendf(&trash, ": SSL handshake failure (%s)\n", err_ssl_str);
+	/* when the SSL error code is present and during a SSL Handshake failure,
+	 * try to dump the error string from OpenSSL */
+	if (conn->err_code == CO_ER_SSL_HANDSHAKE && ssl_ctx && ssl_ctx->error_code != 0) {
+		chunk_appendf(&trash, ": SSL handshake failure (");
+		ERR_error_string_n(ssl_ctx->error_code, b_orig(&trash)+b_data(&trash), b_room(&trash));
+		trash.data = strlen(b_orig(&trash));
+		chunk_appendf(&trash, ")\n");
 	}
 
 	else