I just commited a fix for this problem. The code was incorrect
in multiple ways:
1. The SSL error queue for the thread might not have been empty,
so incorrect error codes might have been handled.
FIX: call ERR_clear_error() before calling SSL_connect
2. SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE was not handled
at all.
FIX: I overcame this problem by making the socket blocking
while calling SSL_connect. This should not be a problem since
this function calls conn_open_tcp which might block, too.
3. In case of an error conn_destroy might have been called with a
half initialized Connection. This might cause a crash when the
ssl_mutex was still NULL.
FIX: make sure the mutex is created before any error handling.
I suspect 1.) might be true for other SSL I/O calls as well. This
should be audited.
Regards
Jörg
-----Original Message-----
From: Jörg Pommnitz
To: 'Stipe Tolj '
Cc: ''[EMAIL PROTECTED]' '
Sent: 12/7/01 12:07 PM
Subject: RE: Heads up: SSL client code to verify SSL server certificates
Thanks, however I just discovered some misbehaviour that I'm unsure
whom to blame for:
If a certificate gets rejected than this currently not detected in
Connection *conn_open_ssl(Octstr *host, int port, Octstr *certkeyfile,
Octstr *our_host)
and I don't understand why. HTTP requests over a SSL connection later
fail when they try to write something. I suspect this never came up
until now because the SSL negotiations always succeeded.
Any ideas?
Regards
Jörg
